Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft
Poisoned Ruby gems and Go modules in sleeper packages steal credentials and enable CI/CD tampering.
Summary
A supply chain attack campaign attributed to GitHub account 'BufferZoneCorp' distributes malicious Ruby gems and Go modules that masquerade as legitimate libraries. The Ruby packages harvest credentials and environment variables at install time, while Go modules tamper with GitHub Actions workflows, plant SSH backdoors, and intercept binary execution. Both have been removed from package registries; affected users are advised to rotate credentials and audit systems.
Full text
Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft Ravie LakshmananMay 01, 2026Supply Chain Attack / Malware A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account "BufferZoneCorp," which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of writing, the packages have been yanked from RubyGems, and the Go modules have been blocked. The names of the libraries are listed below - Ruby: knot-activesupport-logger knot-devise-jwt-helper knot-rack-session-store knot-rails-assets-pipeline knot-rspec-formatter-json knot-date-utils-rb (Sleeper gem) knot-simple-formatter (Sleeper gem) Go: github[.]com/BufferZoneCorp/go-metrics-sdk github[.]com/BufferZoneCorp/go-weather-sdk github[.]com/BufferZoneCorp/go-retryablehttp github[.]com/BufferZoneCorp/go-stdlib-ext github[.]com/BufferZoneCorp/grpc-client github[.]com/BufferZoneCorp/net-helper github[.]com/BufferZoneCorp/config-loader github[.]com/BufferZoneCorp/log-core (Sleeper module) github[.]com/BufferZoneCorp/go-envconfig (Sleeper module) The identified packages masquerade as recognizable and well-known modules like activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, and config-loader so as to evade detection and trick users into downloading them. "The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems," Socket security researcher Kirill Boychenko said in an analysis published today. The Ruby gems are designed to automate credential theft during install time, harvesting environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. The stolen data is then exfiltrated to an attacker-controlled Webhook[.]site endpoint. On the other hand, the Go modules harbor broader capabilities to tamper with GitHub Actions workflows, plant fake Go wrappers, steal developer data, and add a hard-coded SSH public key to "~/.ssh/authorized_keys" for remote access to the compromised host. The modules do not all have the same payload; instead, they are spread across the cluster. "The module executes through init(), detects GITHUB_ENV and GITHUB_PATH, sets HTTP_PROXY and HTTPS_PROXY, writes a fake go executable into a cache directory, and appends that directory to the workflow path so the wrapper is selected before the real binary," Boychenko explained. "That wrapper can then intercept or influence later go executions while still passing control to the legitimate binary to avoid breaking the job." Users who have installed the packages are advised to remove them from their systems, review for signs of access to sensitive files or unauthorized changes to "~/.ssh/authorized_keys," rotate exposed credentials, and inspect network logs for outbound HTTPS traffic to the exfiltration point. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE CI/CD, Credential Theft, cybersecurity, DevOps Security, GitHub, Golang, Malware, Ruby, software security, supply chain attack ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production
Indicators of Compromise
- domain — webhook.site
- malware — BufferZoneCorp Ruby Gems (knot-activesupport-logger, knot-devise-jwt-helper, knot-rack-session-store, knot-rails-assets-pipeline, knot-rspec-formatter-json, knot-date-utils-rb, knot-simple-formatter)
- malware — BufferZoneCorp Go Modules (go-metrics-sdk, go-weather-sdk, go-retryablehttp, go-stdlib-ext, grpc-client, net-helper, config-loader, log-core, go-envconfig)