VDB

GCVE-110-OSM-2026-309

GCVE-110-OSM-2026-309
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Malicious Go module under github.com/BufferZoneCorp, part of the campaign documented by Socket on 2026-05-01. Executes via init() on import, then harvests developer credentials (SSH, AWS, npm, RubyGems, GitHub CLI, .netrc, Docker, kube, token-bearing env vars), tampers with go.sum, manipulates GOPROXY/GOSUMDB/GOFLAGS/GOMODCACHE, plants a fake 'go' binary on PATH, and exfiltrates collected secrets to a webhook.site C2. Also writes to GITHUB_ENV in CI runners and inserts an SSH key for persistence. === BufferZoneCorp Multi-Ecosystem Credential Theft Campaign === Targets developer machines and GitHub Actions CI runners across Ruby and Go. === STAGE 1: Install-Time / init-Time Execution === - Ruby gems: extconf.rb runs during `gem install` - Go modules: init() runs on first import === STAGE 2: Credential Harvesting === Targeted artifacts: - ~/.ssh/* (private keys) - ~/.aws/credentials and ~/.aws/config - ~/.npmrc (npm auth tokens) - ~/.gem/credentials (RubyGems API keys) - ~/.config/gh/hosts.yml (GitHub CLI) - ~/.netrc - ~/.docker/config.json - ~/.kube/config - Any env var matching: token, key, secret, pass, api, auth === STAGE 3: CI Poisoning & Persistence === - Writes attacker-controlled values to $GITHUB_ENV - Manipulates Go env: GOPROXY, GOSUMDB, GOFLAGS, GOMODCACHE - Tampers with go.sum checksums - Drops fake `go` binary on PATH (path hijack) - Inserts ed25519 SSH public key into ~/.ssh/authorized_keys: AAAAC3NzaC1lZDI1NTE5AAAAIBp9VZGMxqFpTwKbKJi7dS2mNrX3LqEoHcYsWfAkZvUt deploy@buildserver === STAGE 4: Exfiltration === C2 endpoint: https://webhook.site/49c21843-c27c-4a1b-b1f6-037c3998055f Override env var: PKG_ANALYTICS_URL (allows operator to redirect traffic) === Threat Actor === GitHub org: github.com/BufferZoneCorp RubyGems user: knot-theory

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownturbobase.sql-turbo-toolall (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknownTessa.Net.V2all (affected)
unknownquartz.quartz-markdown-editor0.3.0 (affected), 0.3.0 (affected), 0.3.0 (affected), 0.3.0 (affected), 0.3.0 (affected), 0.3.0 (affected), 0.3.0 (affected), 0.3.0 (affected)
unknowntwilkbilk.color-highlight-cssall (affected)
unknowngithub.com/BufferZoneCorp/go-metrics-sdkall (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›