VDB
GCVE-110-OSM-2026-307
GCVE-110-OSM-2026-307
Advisory PublishedCVSS 9.6/10
Malicious Go module under github.com/BufferZoneCorp, part of the campaign documented by Socket on 2026-05-01. Executes via init() on import, then harvests developer credentials (SSH, AWS, npm, RubyGems, GitHub CLI, .netrc, Docker, kube, token-bearing env vars), tampers with go.sum, manipulates GOPROXY/GOSUMDB/GOFLAGS/GOMODCACHE, plants a fake 'go' binary on PATH, and exfiltrates collected secrets to a webhook.site C2. Also writes to GITHUB_ENV in CI runners and inserts an SSH key for persistence.
=== BufferZoneCorp Multi-Ecosystem Credential Theft Campaign ===
Targets developer machines and GitHub Actions CI runners across Ruby and Go.
=== STAGE 1: Install-Time / init-Time Execution ===
- Ruby gems: extconf.rb runs during `gem install`
- Go modules: init() runs on first import
=== STAGE 2: Credential Harvesting ===
Targeted artifacts:
- ~/.ssh/* (private keys)
- ~/.aws/credentials and ~/.aws/config
- ~/.npmrc (npm auth tokens)
- ~/.gem/credentials (RubyGems API keys)
- ~/.config/gh/hosts.yml (GitHub CLI)
- ~/.netrc
- ~/.docker/config.json
- ~/.kube/config
- Any env var matching: token, key, secret, pass, api, auth
=== STAGE 3: CI Poisoning & Persistence ===
- Writes attacker-controlled values to $GITHUB_ENV
- Manipulates Go env: GOPROXY, GOSUMDB, GOFLAGS, GOMODCACHE
- Tampers with go.sum checksums
- Drops fake `go` binary on PATH (path hijack)
- Inserts ed25519 SSH public key into ~/.ssh/authorized_keys:
AAAAC3NzaC1lZDI1NTE5AAAAIBp9VZGMxqFpTwKbKJi7dS2mNrX3LqEoHcYsWfAkZvUt deploy@buildserver
=== STAGE 4: Exfiltration ===
C2 endpoint: https://webhook.site/49c21843-c27c-4a1b-b1f6-037c3998055f
Override env var: PKG_ANALYTICS_URL (allows operator to redirect traffic)
=== Threat Actor ===
GitHub org: github.com/BufferZoneCorp
RubyGems user: knot-theory
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | yamaprolas.revature-labs-extension | all (affected) | — |
| unknown | vce-brendan-studio-eich.js-debuger-vscode | all (affected), all (affected), all (affected), all (affected), * (affected), all (affected) | — |
| unknown | Tessa.Server.Net | all (affected) | — |
| unknown | github.com/bpoorman/uuid | all (affected), * (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected) | — |
| unknown | github.com/BufferZoneCorp/go-retryablehttp | all (affected) | — |
References
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.