VDB

GCVE-110-OSM-2026-7730

GCVE-110-OSM-2026-7730
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 11, 2026
This extension implements a complete credential/identity harvesting beacon under the guise of 'supply-chain security research.' It activates automatically on VS Code startup, reads ~/.gitconfig (git user.name and user.email), the workspace .git/config to extract the origin remote URL, OS hostname, OS username, VS Code machineId, workspace folder paths, and editor identity, then exfiltrates all of this to the attacker-controlled OAST domain 'oob.asyncrun.in' via HTTP GET with a DNS fallback — a two-stage exfil technique specifically designed to succeed through egress filters. The package name 'ms-vsonline.vsonline' is a direct impersonation of Microsoft's VS Online product namespace, which is a dependency-confusion/typosquatting attack vector, not a legitimate research methodology. The 'research' framing in comments does not reduce risk: real developer data (git identities, repo URLs, workspace paths, machine IDs) is being sent to infrastructure the author controls, making every victim a real subject rather than a consenting participant. The attacker model is identity harvesting of VS Code/Cursor developers via marketplace namespace squatting. ENTRY extension.js (vscode-activation: [object Object]) ADDITIONAL FINDINGS - Brand New Package INDICATORS (IOCs) - urls: http://schemas.openxmlformats.org/package/2006/content-types - domains: oob.asyncrun.in

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownms-vsonline.vsonlineall (affected)

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›