VDB

GCVE-110-OSM-2026-326

GCVE-110-OSM-2026-326
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 1, 2026
Malicious Ruby gem published by RubyGems user 'knot-theory' as part of the BufferZoneCorp campaign documented by Socket on 2026-05-01. The gem executes attacker code at install time via extconf.rb, then harvests developer credentials (SSH keys, AWS, npm, RubyGems, GitHub CLI, .netrc, Docker, kube configs, tokenized env vars) and exfiltrates them to a webhook.site C2. Also poisons GitHub Actions by writing to GITHUB_ENV and inserting an attacker SSH key into ~/.ssh/authorized_keys for persistence. === BufferZoneCorp Multi-Ecosystem Credential Theft Campaign === Targets developer machines and GitHub Actions CI runners across Ruby and Go. === STAGE 1: Install-Time / init-Time Execution === - Ruby gems: extconf.rb runs during `gem install` - Go modules: init() runs on first import === STAGE 2: Credential Harvesting === Targeted artifacts: - ~/.ssh/* (private keys) - ~/.aws/credentials and ~/.aws/config - ~/.npmrc (npm auth tokens) - ~/.gem/credentials (RubyGems API keys) - ~/.config/gh/hosts.yml (GitHub CLI) - ~/.netrc - ~/.docker/config.json - ~/.kube/config - Any env var matching: token, key, secret, pass, api, auth === STAGE 3: CI Poisoning & Persistence === - Writes attacker-controlled values to $GITHUB_ENV - Manipulates Go env: GOPROXY, GOSUMDB, GOFLAGS, GOMODCACHE - Tampers with go.sum checksums - Drops fake `go` binary on PATH (path hijack) - Inserts ed25519 SSH public key into ~/.ssh/authorized_keys: AAAAC3NzaC1lZDI1NTE5AAAAIBp9VZGMxqFpTwKbKJi7dS2mNrX3LqEoHcYsWfAkZvUt deploy@buildserver === STAGE 4: Exfiltration === C2 endpoint: https://webhook.site/49c21843-c27c-4a1b-b1f6-037c3998055f Override env var: PKG_ANALYTICS_URL (allows operator to redirect traffic) === Threat Actor === GitHub org: github.com/BufferZoneCorp RubyGems user: knot-theory

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownredcapcollective.vscode-quarkus-elite-suiteall (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknownZendeskApi.Client.V2all (affected)
unknownsol-studio.solidity-extensionall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknownknot-rack-session-storeall (affected)
unknownrubyideext.ruby-ide-extensionall (affected)

Browse GCVE Records

71,925 records in the GCVE database · Updated July 13, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›