Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Source: The Hacker News

Overview

A new software supply chain attack campaign has been observed using sleeper packages to deliver malicious payloads that enable credential theft, GitHub Actions tampering, and SSH persistence. The activity is attributed to the GitHub account BufferZoneCorp, which has published repositories containing malicious Ruby gems and Go modules. As of writing, the Ruby gems have been yanked from RubyGems and the Go modules have been blocked.

Affected Packages

Ruby Gems

• knot-activesupport-logger
• knot-devise-jwt-helper
• knot-rack-session-store
• knot-rails-assets-pipeline
• knot-rspec-formatter-json
• knot-date-utils-rb (sleeper gem)
• knot-simple-formatter (sleeper gem)

Go Modules

• github.com/BufferZoneCorp/go-metrics-sdk
• github.com/BufferZoneCorp/go-weather-sdk
• github.com/BufferZoneCorp/go-retryablehttp
• github.com/BufferZoneCorp/go-stdlib-ext
• github.com/BufferZoneCorp/grpc-client
• github.com/BufferZoneCorp/net-helper
• github.com/BufferZoneCorp/config-loader
• github.com/BufferZoneCorp/log-core (sleeper module)
• github.com/BufferZoneCorp/go-envconfig (sleeper module)

The packages masquerade as well‑known modules such as activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, and config-loader to evade detection.

Attack Details

Socket security researcher Kirill Boychenko explained that the Ruby gems automate credential theft during installation, harvesting:

• Environment variables
• SSH keys
• AWS secrets
• .npmrc and .netrc files
• GitHub CLI configuration
• RubyGems credentials

The stolen data is exfiltrated to an attacker‑controlled webhook endpoint.

The Go modules provide broader capabilities, including:

• Tampering with GitHub Actions workflows
• Planting fake Go wrappers
• Stealing developer data
• Adding a hard‑coded SSH public key to ~/.ssh/authorized_keys for persistent remote access

Modules execute via init(), detect GITHUB_ENV and GITHUB_PATH, set HTTP_PROXY/HTTPS_PROXY, write a fake Go executable into a cache directory, and prepend that directory to the workflow PATH. The wrapper intercepts subsequent go executions while delegating to the legitimate binary to avoid breaking the job.

Mitigation

If you have installed any of the listed packages, take the following steps:

1. Remove the malicious gems and modules from your system.
2. Review your environment for unauthorized access to sensitive files and changes to ~/.ssh/authorized_keys.
3. Rotate any potentially exposed credentials (AWS keys, SSH keys, API tokens, etc.).
4. Inspect network logs for outbound HTTPS traffic to unknown webhook endpoints.
5. Update your CI/CD pipelines and dependency lock files to reference only trusted sources.

References

• Kirill Boychenko’s analysis on Socket.dev:
• Additional coverage: