VDB
GCVE-110-OSM-2026-7730
GCVE-110-OSM-2026-7730
Advisory PublishedCVSS 9.6/10
This extension implements a complete credential/identity harvesting beacon under the guise of 'supply-chain security research.' It activates automatically on VS Code startup, reads ~/.gitconfig (git user.name and user.email), the workspace .git/config to extract the origin remote URL, OS hostname, OS username, VS Code machineId, workspace folder paths, and editor identity, then exfiltrates all of this to the attacker-controlled OAST domain 'oob.asyncrun.in' via HTTP GET with a DNS fallback — a two-stage exfil technique specifically designed to succeed through egress filters. The package name 'ms-vsonline.vsonline' is a direct impersonation of Microsoft's VS Online product namespace, which is a dependency-confusion/typosquatting attack vector, not a legitimate research methodology. The 'research' framing in comments does not reduce risk: real developer data (git identities, repo URLs, workspace paths, machine IDs) is being sent to infrastructure the author controls, making every victim a real subject rather than a consenting participant. The attacker model is identity harvesting of VS Code/Cursor developers via marketplace namespace squatting.
ENTRY
extension.js (vscode-activation: [object Object])
ADDITIONAL FINDINGS
- Brand New Package
INDICATORS (IOCs)
- urls: http://schemas.openxmlformats.org/package/2006/content-types
- domains: oob.asyncrun.in
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ms-vsonline.vsonline | all (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.