{"id":773,"date":"2026-05-01T10:34:00","date_gmt":"2026-05-01T10:34:00","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=773"},"modified":"2026-05-01T10:34:00","modified_gmt":"2026-05-01T10:34:00","slug":"poisoned-ruby-gems-and-go-modules-exploit-ci-pipelines-for-credential-theft","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=773","title":{"rendered":"Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">May 01, 2026<\/span><\/span><span class=\"p-tags\">Supply Chain Attack \/ Malware<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhNz4euGufhcyWdY8TkRfdXBUj2XXZlzQWEb1QyI7otpos158ctsC236sEm2NAZ20sUZv4AOqrGCSTbjGsOOkMwhQv53ZjyrVXf9SVUsMfhvhQ4LzGL87j44f0kMkXRzBAoWeHDz8hywx4gbW_trN1mFk-xCCZatTf0zNsude7k-3WE9kIY_pPgza53qsdc\/s1700-e365\/buffer.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence.<\/p>\n<p>The activity has been attributed to the GitHub account \u00ab<strong>BufferZoneCorp<\/strong>,\u00bb which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of writing, the packages have been yanked from RubyGems, and the Go modules have been blocked. The names of the libraries are listed below &#8211;<\/p>\n<ul>\n<li><strong>Ruby:<\/strong>\n<ul>\n<li>knot-activesupport-logger<\/li>\n<li>knot-devise-jwt-helper<\/li>\n<li>knot-rack-session-store<\/li>\n<li>knot-rails-assets-pipeline<\/li>\n<li>knot-rspec-formatter-json<\/li>\n<li>knot-date-utils-rb (Sleeper gem)<\/li>\n<li>knot-simple-formatter (Sleeper gem)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Go:<\/strong>\n<ul>\n<li>github[.]com\/BufferZoneCorp\/go-metrics-sdk<\/li>\n<li>github[.]com\/BufferZoneCorp\/go-weather-sdk<\/li>\n<li>github[.]com\/BufferZoneCorp\/go-retryablehttp<\/li>\n<li>github[.]com\/BufferZoneCorp\/go-stdlib-ext<\/li>\n<li>github[.]com\/BufferZoneCorp\/grpc-client<\/li>\n<li>github[.]com\/BufferZoneCorp\/net-helper<\/li>\n<li>github[.]com\/BufferZoneCorp\/config-loader<\/li>\n<li>github[.]com\/BufferZoneCorp\/log-core (Sleeper module)<\/li>\n<li>github[.]com\/BufferZoneCorp\/go-envconfig (Sleeper module)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The identified packages masquerade as recognizable and well-known modules like activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, and config-loader so as to evade detection and trick users into downloading them.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/threatlabz-vpn-risk-2026-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhnNON5UeWywT7OcPNw7V4L7QNWnCnm7Xl_99Y9ek8dL-gRwx-bWxQM1TKqt8deqqrdpUyKMuuijAWyyPQVB0s0qf8ntQ6ldFAJLru-QUWhddKTopc7SeNbBBnd-TsfFyRPP-AAyDuclLlL6XHK4_LXqDC_7eyaz9pzToYr7U543MhrJ7qcK-89sVWHTQUZ\/s728-e100\/zz-2-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThe account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems,\u00bb Socket security researcher Kirill Boychenko <a href=\"https:\/\/socket.dev\/blog\/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci\">said<\/a> in an analysis published today.<\/p>\n<p>The Ruby gems are designed to automate credential theft during install time, harvesting environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. The stolen data is then exfiltrated to an attacker-controlled Webhook[.]site endpoint.<\/p>\n<p>On the other hand, the Go modules harbor broader capabilities to tamper with GitHub Actions workflows, plant fake Go wrappers, steal developer data, and add a hard-coded SSH public key to \u00ab~\/.ssh\/authorized_keys\u00bb for remote access to the compromised host. The modules do not all have the same payload; instead, they are spread across the cluster.<\/p>\n<p>\u00abThe module executes through init(), detects GITHUB_ENV and GITHUB_PATH, sets HTTP_PROXY and HTTPS_PROXY, writes a fake go executable into a cache directory, and appends that directory to the workflow path so the wrapper is selected before the real binary,\u00bb Boychenko explained.<\/p>\n<p>\u00abThat wrapper can then intercept or influence later go executions while still passing control to the legitimate binary to avoid breaking the job.\u00bb<\/p>\n<p>Users who have installed the packages are advised to remove them from their systems, review for signs of access to sensitive files or unauthorized changes to \u00ab~\/.ssh\/authorized_keys,\u00bb rotate exposed credentials, and inspect network logs for outbound HTTPS traffic to the exfiltration point.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802May 01, 2026Supply Chain Attack \/ Malware A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that&hellip;<\/p>\n","protected":false},"author":1,"featured_media":774,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[459,120,1490,1491,577,1488,1489,526],"class_list":["post-773","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-credential","tag-exploit","tag-gems","tag-modules","tag-pipelines","tag-poisoned","tag-ruby","tag-theft"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/773","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=773"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/773\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/774"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=773"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}