VDB
GCVE-110-OSM-2026-7729
GCVE-110-OSM-2026-7729
Advisory PublishedCVSS 5.4/10
This extension explicitly self-identifies as a supply-chain security research beacon in both its description and code comments, but it actively exfiltrates real developer PII — OS username, hostname, git user.name, git user.email, git origin remote URL, VS Code machineId, workspace folder paths, and editor version — to the attacker-controlled OAST domain oob.asyncrun.in via HTTP GET with DNS fallback on any firewall block. The 'research' framing does not neutralize the harm: real developer machines running this extension will have identity metadata, project names, and organizational git repo URLs silently transmitted to infrastructure the publisher controls. The two-stage exfil design (HTTP → DNS fallback) is a deliberate evasion technique that goes well beyond a simple install-time ping. While the attacker model (dependency-confusion researcher harvesting proof-of-execution telemetry) is stated and plausible, the actual data collected is sensitive enough to constitute unauthorized data collection from any developer who installs it, warranting registry removal and further review.
ENTRY
extension.js (vscode-activation: [object Object])
ADDITIONAL FINDINGS
- Brand New Package
INDICATORS (IOCs)
- urls: http://schemas.openxmlformats.org/package/2006/content-types
- domains: oob.asyncrun.in
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | qinjia.view-in-browser | all (affected) | — |
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.