Malicious Ruby Gems and Go Modules Target Developer Credentials and CI Pipelines

TL;DR A supply chain attack campaign attributed to the GitHub account "BufferZoneCorp" deployed poisoned Ruby gems and Go modules designed to steal credentials, tamper with GitHub Actions workflows, and establish SSH persistence on developer machines and CI runners. The packages masquerade as legitimate libraries and have since been yanked from RubyGems and blocked from Go module registries. Organizations using affected packages should immediately remove them, rotate credentials, and audit for unauthorized access.

What happened

A coordinated software supply chain attack has distributed malicious Ruby gems and Go modules under the "BufferZoneCorp" GitHub account. The campaign uses a two-stage approach: sleeper packages that remain dormant until triggered, then deploy payloads designed to compromise development environments and CI infrastructure.

The Ruby gems target credential harvesting at install time. When installed, they collect environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. The stolen data is exfiltrated to an attacker-controlled Webhook.site endpoint.

The Go modules employ a more sophisticated approach. They detect when running in GitHub Actions environments by checking for GITHUB_ENV and GITHUB_PATH variables. Once detected, they write a fake Go executable into a cache directory and manipulate the workflow PATH so the wrapper executes before the legitimate Go binary. This wrapper can intercept Go commands while passing control to the real binary to avoid breaking the build. The Go modules also write a hard-coded SSH public key to ~/.ssh/authorized_keys, enabling persistent remote access to the compromised system.

The packages are designed to evade detection by mimicking recognizable library names: knot-activesupport-logger, knot-devise-jwt-helper, knot-rack-session-store, knot-rails-assets-pipeline, knot-rspec-formatter-json, and knot-simple-formatter for Ruby; and go-metrics-sdk, go-weather-sdk, go-retryablehttp, go-stdlib-ext, grpc-client, net-helper, config-loader, log-core, and go-envconfig for Go.

As of publication, RubyGems has yanked the affected gems and the Go module registry has blocked the malicious packages.

Why it matters

This attack targets two critical points in the software development lifecycle. Ruby developers face immediate credential theft during dependency installation. Go developers in CI environments face compromise of their build pipelines, which can be weaponized to inject malicious code into downstream projects or to exfiltrate secrets stored in GitHub Actions workflows.

The use of sleeper packages extends the attack window. An attacker can maintain a poisoned package in registries for an indeterminate period before activating the malicious payload, increasing the chance that the package is already integrated into production dependencies before detection.

The SSH key persistence technique is particularly concerning for organizations managing CI infrastructure. Once a hard-coded public key is added to authorized_keys, the attacker retains access independent of credential rotation or workflow changes.

For SOC analysts and defenders in the MENA region managing Go and Ruby codebases, this attack demonstrates the need for supply chain visibility across package registries and careful monitoring of CI runner configurations.

Affected systems and CVEs

Ruby gems:

knot-activesupport-logger
knot-devise-jwt-helper
knot-rack-session-store
knot-rails-assets-pipeline
knot-rspec-formatter-json
knot-date-utils-rb (sleeper gem)
knot-simple-formatter (sleeper gem)

Go modules:

github.com/BufferZoneCorp/go-metrics-sdk
github.com/BufferZoneCorp/go-weather-sdk
github.com/BufferZoneCorp/go-retryablehttp
github.com/BufferZoneCorp/go-stdlib-ext
github.com/BufferZoneCorp/grpc-client
github.com/BufferZoneCorp/net-helper
github.com/BufferZoneCorp/config-loader
github.com/BufferZoneCorp/log-core (sleeper module)
github.com/BufferZoneCorp/go-envconfig (sleeper module)

CVEs: No CVE assigned at the time of publication.

What to do

Remove all affected packages from development machines, CI runners, and production environments immediately.
Audit ~/.ssh/authorized_keys on all systems where these packages may have been installed; remove any unfamiliar SSH public keys.
Review system and application logs for unauthorized file access or modifications to sensitive configuration files.
Rotate all exposed credentials, including AWS keys, GitHub tokens, RubyGems credentials, and any other secrets that may have been harvested.
Inspect network logs and firewall records for outbound HTTPS traffic to Webhook.site or other exfiltration endpoints.
Review GitHub Actions workflow logs for suspicious Go executable wrappers or unexpected PATH modifications.
Audit git history and recent commits in affected repositories for signs of pipeline tampering.

Open questions

When were these packages first deployed, and for how long were they available before discovery?
How many developers and organizations have installed these packages?
Are any versions of these packages still available on alternative package registries or mirrors?
What are the specific version numbers of the malicious packages?
Whether the sleeper gems and modules were activated in any known incidents before removal.
The identity and motivation of the threat actor behind the BufferZoneCorp account.