VDB

GCVE-110-OSM-2026-307

GCVE-110-OSM-2026-307
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Malicious Go module under github.com/BufferZoneCorp, part of the campaign documented by Socket on 2026-05-01. Executes via init() on import, then harvests developer credentials (SSH, AWS, npm, RubyGems, GitHub CLI, .netrc, Docker, kube, token-bearing env vars), tampers with go.sum, manipulates GOPROXY/GOSUMDB/GOFLAGS/GOMODCACHE, plants a fake 'go' binary on PATH, and exfiltrates collected secrets to a webhook.site C2. Also writes to GITHUB_ENV in CI runners and inserts an SSH key for persistence. === BufferZoneCorp Multi-Ecosystem Credential Theft Campaign === Targets developer machines and GitHub Actions CI runners across Ruby and Go. === STAGE 1: Install-Time / init-Time Execution === - Ruby gems: extconf.rb runs during `gem install` - Go modules: init() runs on first import === STAGE 2: Credential Harvesting === Targeted artifacts: - ~/.ssh/* (private keys) - ~/.aws/credentials and ~/.aws/config - ~/.npmrc (npm auth tokens) - ~/.gem/credentials (RubyGems API keys) - ~/.config/gh/hosts.yml (GitHub CLI) - ~/.netrc - ~/.docker/config.json - ~/.kube/config - Any env var matching: token, key, secret, pass, api, auth === STAGE 3: CI Poisoning & Persistence === - Writes attacker-controlled values to $GITHUB_ENV - Manipulates Go env: GOPROXY, GOSUMDB, GOFLAGS, GOMODCACHE - Tampers with go.sum checksums - Drops fake `go` binary on PATH (path hijack) - Inserts ed25519 SSH public key into ~/.ssh/authorized_keys: AAAAC3NzaC1lZDI1NTE5AAAAIBp9VZGMxqFpTwKbKJi7dS2mNrX3LqEoHcYsWfAkZvUt deploy@buildserver === STAGE 4: Exfiltration === C2 endpoint: https://webhook.site/49c21843-c27c-4a1b-b1f6-037c3998055f Override env var: PKG_ANALYTICS_URL (allows operator to redirect traffic) === Threat Actor === GitHub org: github.com/BufferZoneCorp RubyGems user: knot-theory

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownyamaprolas.revature-labs-extensionall (affected)
unknownvce-brendan-studio-eich.js-debuger-vscodeall (affected), all (affected), all (affected), all (affected), * (affected), all (affected)
unknownTessa.Server.Netall (affected)
unknowngithub.com/bpoorman/uuidall (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected)
unknowngithub.com/BufferZoneCorp/go-retryablehttpall (affected)

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›