Malicious Package Affecting knot-rspec-formatter-json package, versions >=0.0.0
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUBY-KNOTRSPECFORMATTERJSON-16690907
- published14 May 2026
- disclosed14 May 2026
- creditKirill Boychenko
Introduced: 14 May 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the knot-rspec-formatter-json package.
Overview
knot-rspec-formatter-json is a malicious package.
This package is part of a malicious cluster of Ruby gems published by the threat actor knot-theory. Designed to impersonate legitimate utilities, it executes a payload upon installation that harvests environment variables, SSH keys, AWS credentials, and configuration files.
Stolen data is exfiltrated to an external endpoint, specifically targeting developer systems and CI environments. All versions are compromised and should be removed immediately.
Note: While earlier versions may have appeared benign to evade detection, the maintainer's intent was malicious, and all versions should be considered compromised.