top of page
perceptive_background_267k.jpg

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Published:

1 mei 2026 om 09:43:00

Alert date:

1 mei 2026 om 10:01:01

Source:

thehackernews.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Data Breach & Exfiltration

A sophisticated software supply chain attack campaign attributed to GitHub account 'BufferZoneCorp' has been discovered using sleeper packages to distribute malicious payloads. The attack targets CI/CD pipelines through poisoned Ruby gems and Go modules, enabling credential theft, GitHub Actions tampering, and SSH persistence. The campaign demonstrates advanced tactics by using legitimate-looking repositories to distribute malware that specifically targets development and deployment infrastructure. This represents a significant threat to software development workflows and supply chain security.

Technical details

A software supply chain attack campaign uses sleeper packages to push malicious payloads for credential theft, GitHub Actions tampering, and SSH persistence. Ruby gems automate credential theft during install time, harvesting environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. Go modules tamper with GitHub Actions workflows by executing through init(), detecting GITHUB_ENV and GITHUB_PATH, setting HTTP_PROXY and HTTPS_PROXY, writing fake go executable into cache directory, and appending to workflow path. The wrapper intercepts go executions while passing control to legitimate binary. Modules also plant fake Go wrappers and add hard-coded SSH public key to ~/.ssh/authorized_keys for remote access.

Mitigation steps:

Remove the malicious packages from systems
Review for signs of access to sensitive files
Check for unauthorized changes to ~/.ssh/authorized_keys
Rotate exposed credentials
Inspect network logs for outbound HTTPS traffic to exfiltration points

Affected products:

knot-activesupport-logger
knot-devise-jwt-helper
knot-rack-session-store
knot-rails-assets-pipeline
knot-rspec-formatter-json
knot-date-utils-rb
knot-simple-formatter
github.com/BufferZoneCorp/go-metrics-sdk
github.com/BufferZoneCorp/go-weather-sdk
github.com/BufferZoneCorp/go-retryablehttp
github.com/BufferZoneCorp/go-stdlib-ext
github.com/BufferZoneCorp/grpc-client
github.com/BufferZoneCorp/net-helper
github.com/BufferZoneCorp/config-loader
github.com/BufferZoneCorp/log-core
github.com/BufferZoneCorp/go-envconfig
RubyGems
Go modules
GitHub Actions
CI pipelines

Related links:

https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci

Related CVE's:

Related threat actors:

IOC's:

BufferZoneCorp GitHub account, Webhook.site endpoint, ~/.ssh/authorized_keys modifications, HTTP_PROXY and HTTPS_PROXY environment variable modifications, Fake go executable in cache directory

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page