VDB

GCVE-110-OSM-2026-7729

GCVE-110-OSM-2026-7729
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published July 11, 2026
This extension explicitly self-identifies as a supply-chain security research beacon in both its description and code comments, but it actively exfiltrates real developer PII — OS username, hostname, git user.name, git user.email, git origin remote URL, VS Code machineId, workspace folder paths, and editor version — to the attacker-controlled OAST domain oob.asyncrun.in via HTTP GET with DNS fallback on any firewall block. The 'research' framing does not neutralize the harm: real developer machines running this extension will have identity metadata, project names, and organizational git repo URLs silently transmitted to infrastructure the publisher controls. The two-stage exfil design (HTTP → DNS fallback) is a deliberate evasion technique that goes well beyond a simple install-time ping. While the attacker model (dependency-confusion researcher harvesting proof-of-execution telemetry) is stated and plausible, the actual data collected is sensitive enough to constitute unauthorized data collection from any developer who installs it, warranting registry removal and further review. ENTRY extension.js (vscode-activation: [object Object]) ADDITIONAL FINDINGS - Brand New Package INDICATORS (IOCs) - urls: http://schemas.openxmlformats.org/package/2006/content-types - domains: oob.asyncrun.in

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownqinjia.view-in-browserall (affected)

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›