VDB

GCVE-110-OSM-2026-3628

GCVE-110-OSM-2026-3628
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 1, 2026
Sleeper Go module under github.com/BufferZoneCorp, staged but not yet weaponized at the time of Socket's 2026-05-01 report. Operator-controlled and expected to follow the same init()-driven credential-theft pattern as the other BufferZoneCorp Go modules. === BufferZoneCorp Multi-Ecosystem Credential Theft Campaign === Targets developer machines and GitHub Actions CI runners across Ruby and Go. === STAGE 1: Install-Time / init-Time Execution === - Ruby gems: extconf.rb runs during `gem install` - Go modules: init() runs on first import === STAGE 2: Credential Harvesting === Targeted artifacts: - ~/.ssh/* (private keys) - ~/.aws/credentials and ~/.aws/config - ~/.npmrc (npm auth tokens) - ~/.gem/credentials (RubyGems API keys) - ~/.config/gh/hosts.yml (GitHub CLI) - ~/.netrc - ~/.docker/config.json - ~/.kube/config - Any env var matching: token, key, secret, pass, api, auth === STAGE 3: CI Poisoning & Persistence === - Writes attacker-controlled values to $GITHUB_ENV - Manipulates Go env: GOPROXY, GOSUMDB, GOFLAGS, GOMODCACHE - Tampers with go.sum checksums - Drops fake `go` binary on PATH (path hijack) - Inserts ed25519 SSH public key into ~/.ssh/authorized_keys: AAAAC3NzaC1lZDI1NTE5AAAAIBp9VZGMxqFpTwKbKJi7dS2mNrX3LqEoHcYsWfAkZvUt deploy@buildserver === STAGE 4: Exfiltration === C2 endpoint: https://webhook.site/49c21843-c27c-4a1b-b1f6-037c3998055f Override env var: PKG_ANALYTICS_URL (allows operator to redirect traffic) === Threat Actor === GitHub org: github.com/BufferZoneCorp RubyGems user: knot-theory

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowngithub.com/BufferZoneCorp/log-coreall (affected)

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›