VDB
GCVE-110-OSM-2026-7147
GCVE-110-OSM-2026-7147
Advisory PublishedCVSS 9.6/10
Git Warden confirmed this GitHub repository as malicious through static analysis of its source code, which means the repository was read and never executed. The malicious code was found in the file .vscode/tasks.json. The code runs automatically through a package install hook, so simply installing this project is enough to execute the attacker payload with no further action from the victim. This is the classic supply chain delivery method. An ordinary, trustworthy project would not contain this, so the finding is a strong and dependable indication that the repository was either compromised or was built from the start to deliver malware to anyone who clones or installs it. The exact file, the line number, and the detection rule that matched are included in the evidence reference so a reviewer can open the repository and confirm all of it independently. The delivery method, a .vscode/tasks.json task that automatically runs a remote shell command the moment the repository is opened in VS Code, matches the DPRK-attributed 'Contagious Interview' campaign, in which fake recruiters lure developers into opening a coding-task repository that silently executes a first-stage downloader. The payload is fetched from attacker-controlled infrastructure: default-configuration-sandy.vercel.app.
The malicious payload is located in .vscode/tasks.json. The code runs automatically through a package install hook, so simply installing this project is enough to execute the attacker payload with no further action from the victim. This is the classic supply chain delivery method. The same repository also triggered these additional detections: install_hook.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | all (affected) | — |
References
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.