VDB

GCVE-110-OSM-2026-322

GCVE-110-OSM-2026-322
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 1, 2026
Sleeper Ruby gem published by RubyGems user 'knot-theory' under the BufferZoneCorp campaign. Currently benign but operator-controlled and staged for activation following the same install-time exfiltration pattern as the other knot-* gems documented by Socket on 2026-05-01. === BufferZoneCorp Multi-Ecosystem Credential Theft Campaign === Targets developer machines and GitHub Actions CI runners across Ruby and Go. === STAGE 1: Install-Time / init-Time Execution === - Ruby gems: extconf.rb runs during `gem install` - Go modules: init() runs on first import === STAGE 2: Credential Harvesting === Targeted artifacts: - ~/.ssh/* (private keys) - ~/.aws/credentials and ~/.aws/config - ~/.npmrc (npm auth tokens) - ~/.gem/credentials (RubyGems API keys) - ~/.config/gh/hosts.yml (GitHub CLI) - ~/.netrc - ~/.docker/config.json - ~/.kube/config - Any env var matching: token, key, secret, pass, api, auth === STAGE 3: CI Poisoning & Persistence === - Writes attacker-controlled values to $GITHUB_ENV - Manipulates Go env: GOPROXY, GOSUMDB, GOFLAGS, GOMODCACHE - Tampers with go.sum checksums - Drops fake `go` binary on PATH (path hijack) - Inserts ed25519 SSH public key into ~/.ssh/authorized_keys: AAAAC3NzaC1lZDI1NTE5AAAAIBp9VZGMxqFpTwKbKJi7dS2mNrX3LqEoHcYsWfAkZvUt deploy@buildserver === STAGE 4: Exfiltration === C2 endpoint: https://webhook.site/49c21843-c27c-4a1b-b1f6-037c3998055f Override env var: PKG_ANALYTICS_URL (allows operator to redirect traffic) === Threat Actor === GitHub org: github.com/BufferZoneCorp RubyGems user: knot-theory

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsun-shine-studio.shiny-extension-for-vscodeall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)
unknownStl.Blazor.Authentication.Netall (affected)
unknownknot-simple-formatterall (affected)
unknownsol-studio.solidity-extensionall (affected), * (affected), all (affected), all (affected), all (affected), all (affected)
unknownssgwysc.volar-vscode* (affected)

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›