VDB
GCVE-110-OSM-2026-322
GCVE-110-OSM-2026-322
Advisory PublishedCVSS 8.8/10
Sleeper Ruby gem published by RubyGems user 'knot-theory' under the BufferZoneCorp campaign. Currently benign but operator-controlled and staged for activation following the same install-time exfiltration pattern as the other knot-* gems documented by Socket on 2026-05-01.
=== BufferZoneCorp Multi-Ecosystem Credential Theft Campaign ===
Targets developer machines and GitHub Actions CI runners across Ruby and Go.
=== STAGE 1: Install-Time / init-Time Execution ===
- Ruby gems: extconf.rb runs during `gem install`
- Go modules: init() runs on first import
=== STAGE 2: Credential Harvesting ===
Targeted artifacts:
- ~/.ssh/* (private keys)
- ~/.aws/credentials and ~/.aws/config
- ~/.npmrc (npm auth tokens)
- ~/.gem/credentials (RubyGems API keys)
- ~/.config/gh/hosts.yml (GitHub CLI)
- ~/.netrc
- ~/.docker/config.json
- ~/.kube/config
- Any env var matching: token, key, secret, pass, api, auth
=== STAGE 3: CI Poisoning & Persistence ===
- Writes attacker-controlled values to $GITHUB_ENV
- Manipulates Go env: GOPROXY, GOSUMDB, GOFLAGS, GOMODCACHE
- Tampers with go.sum checksums
- Drops fake `go` binary on PATH (path hijack)
- Inserts ed25519 SSH public key into ~/.ssh/authorized_keys:
AAAAC3NzaC1lZDI1NTE5AAAAIBp9VZGMxqFpTwKbKJi7dS2mNrX3LqEoHcYsWfAkZvUt deploy@buildserver
=== STAGE 4: Exfiltration ===
C2 endpoint: https://webhook.site/49c21843-c27c-4a1b-b1f6-037c3998055f
Override env var: PKG_ANALYTICS_URL (allows operator to redirect traffic)
=== Threat Actor ===
GitHub org: github.com/BufferZoneCorp
RubyGems user: knot-theory
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sun-shine-studio.shiny-extension-for-vscode | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | Stl.Blazor.Authentication.Net | all (affected) | — |
| unknown | knot-simple-formatter | all (affected) | — |
| unknown | sol-studio.solidity-extension | all (affected), * (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | ssgwysc.volar-vscode | * (affected) | — |
References
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.