Skip to content
.ca
sign in
Work being done in the backend.
7 mincritical

Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI

A software supply chain campaign attributed to the GitHub account 'BufferZoneCorp' published malicious Ruby gems and Go modules designed to steal developer secrets and compromise CI/CD environments. The packages impersonate legitimate developer tools to execute install-time and runtime payloads that harvest credentials, tamper with GitHub Actions workflows, manipulate Go dependency resolution, and establish SSH persistence.

Sens:ImmediateConf:highAnalyzed:2026-05-02Google
ActorsBufferZoneCorpknot-theory
Go ModulesCredential TheftSupply ChainRubyGemsCI/CD

Source:Socket

IOCs · 2

Detection / HunterGoogle

What Happened

Security researchers discovered a coordinated attack where malicious software packages were disguised as helpful tools for Ruby and Go developers. When developers or automated build systems install these packages, the hidden malicious code steals sensitive passwords, cloud access keys, and source code credentials. The attack specifically targets automated build environments like GitHub Actions, altering settings to make future attacks easier and even leaving a backdoor for attackers to access the servers later. This highlights the danger of downloading unverified code; developers should immediately check their systems for these specific packages and change any potentially exposed passwords.

Key Takeaways

  • A coordinated supply chain attack by the GitHub account 'BufferZoneCorp' targeted Ruby and Go developers using typosquatted and impersonated packages.
  • Malicious Ruby gems execute at install time via extconf.rb to harvest SSH keys, AWS credentials, and other secrets.
  • Malicious Go modules target CI/CD environments (like GitHub Actions) by poisoning GOPROXY, weakening checksums, and planting fake 'go' wrappers.
  • Some Go modules establish persistence by appending a hardcoded SSH public key (deploy@buildserver) to ~/.ssh/authorized_keys.
  • Stolen credentials and environment variables are exfiltrated to a hidden webhook endpoint.

Affected Systems

  • Developer workstations
  • CI/CD runners (specifically GitHub Actions)
  • Ruby environments
  • Go environments

Attack Chain

The threat actor publishes malicious Ruby gems and Go modules using plausible names to impersonate legitimate developer tools. Upon installation, Ruby gems execute malicious code via extconf.rb to harvest local credentials and environment variables, exfiltrating them to a webhook. In Go environments, the modules execute via init() functions to poison GitHub Actions environments by altering GOPROXY and go.sum, planting fake 'go' wrappers to intercept commands, and appending an SSH key to authorized_keys for persistent access.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide pre-built detection rules, but it details specific behavioral indicators, file paths, and environment variable manipulations to monitor.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect file reads of sensitive files like ~/.ssh/id_rsa by unusual processes (gem, go) and modifications to ~/.ssh/authorized_keys, but might miss in-memory environment variable scraping. Network Visibility: Medium — Outbound connections to webhook.site from build tools can be spotted, but the traffic is encrypted via HTTPS. Detection Difficulty: Moderate — Detecting unauthorized SSH key additions and unexpected outbound connections from CI tools is feasible, but distinguishing malicious package installation from normal developer activity requires baseline knowledge.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • File System Activity (Sysmon 11)
  • Network Connections (Sysmon 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for package managers (gem, go) initiating outbound network connections to known webhook or pastebin sites.Network connection logs mapped to process execution (e.g., Sysmon Event ID 3).ExfiltrationLow to Medium
Monitor for unexpected modifications to ~/.ssh/authorized_keys by build processes or package managers.File modification logs (e.g., Sysmon Event ID 11).PersistenceLow
Search for processes spawned by package managers reading multiple sensitive credential files (e.g., ~/.aws/credentials, ~/.npmrc) in rapid succession.File read events or EDR telemetry.Credential AccessMedium
Identify unexpected modifications to CI/CD environment variables like GOPROXY, GOSUMDB, or GITHUB_ENV during build steps.CI/CD pipeline logs and runner execution logs.Defense EvasionMedium

Control Gaps

  • Lack of egress filtering on CI/CD runners
  • Implicit trust of package manager execution
  • Unrestricted access to developer secrets in build environments

Key Behavioral Indicators

  • Modification of ~/.ssh/authorized_keys with the deploy@buildserver comment
  • Creation of fake 'go' executables in cache directories
  • Ruby extconf.rb scripts reading SSH keys or AWS credentials

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Remove all BufferZoneCorp Ruby gems and Go modules from environments.
  • Rotate any exposed credentials (SSH keys, AWS tokens, GitHub tokens) if affected packages were installed.
  • Review ~/.ssh/authorized_keys for unauthorized entries, specifically the deploy@buildserver key.

Infrastructure Hardening

  • Limit secret scope in CI/CD environments so build jobs only inherit necessary credentials.
  • Implement egress filtering on CI runners to block connections to untrusted domains like webhook.site.
  • Enforce strict dependency pinning and checksum verification.

User Protection

  • Educate developers on typosquatting and verifying package authors before installation.
  • Monitor developer workstations for unauthorized access to credential files.

Security Awareness

  • Add review gates for newly introduced developer utilities and dependencies.
  • Conduct regular audits of CI/CD pipeline configurations and environment variables.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1204.005 - User Execution: Malicious Library
  • T1036.005 - Masquerading: Match Legitimate Resource Name or Location
  • T1059.004 - Command and Scripting Interpreter: Unix Shell
  • T1552.001 - Unsecured Credentials: Credentials in Files
  • T1552.004 - Unsecured Credentials: Private Keys
  • T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
  • T1098.004 - Account Manipulation: SSH Authorized Keys
  • T1574.007 - Hijack Execution Flow: Path Interception by PATH Environment Variable
  • T1567.004 - Exfiltration Over Web Service: Exfiltration Over Webhook
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1526 - Cloud Service Discovery
  • T1613 - Container and Resource Discovery

Additional IOCs

  • Domains:
    • webhook[.]site - Domain used for the exfiltration endpoint.
  • Urls:
    • github.com/BufferZoneCorp/activesupport-logger - Malicious GitHub repository
    • github.com/BufferZoneCorp/devise-jwt-helper - Malicious GitHub repository
    • github.com/BufferZoneCorp/rack-session-store - Malicious GitHub repository
    • github.com/BufferZoneCorp/rails-assets-pipeline - Malicious GitHub repository
    • github.com/BufferZoneCorp/rspec-formatter-json - Malicious GitHub repository
    • github.com/BufferZoneCorp/date-utils-rb - Malicious GitHub repository (sleeper)
    • github.com/BufferZoneCorp/simple-formatter - Malicious GitHub repository (sleeper)
    • github.com/BufferZoneCorp/go-weather-sdk - Malicious Go module repository
    • github.com/BufferZoneCorp/go-retryablehttp - Malicious Go module repository
    • github.com/BufferZoneCorp/go-stdlib-ext - Malicious Go module repository
    • github.com/BufferZoneCorp/grpc-client - Malicious Go module repository
    • github.com/BufferZoneCorp/net-helper - Malicious Go module repository
    • github.com/BufferZoneCorp/config-loader - Malicious Go module repository
    • github.com/BufferZoneCorp/log-core - Malicious Go module repository (sleeper)
    • github.com/BufferZoneCorp/go-envconfig - Malicious Go module repository (sleeper)
    • github.com/BufferZoneCorp/go-stdlog - Malicious Go module repository (reconnaissance logic)
  • File Paths:
    • ~/.ssh/authorized_keys - Targeted for SSH key persistence insertion.
    • extconf.rb - Ruby native extension build file abused for install-time execution.
    • ~/.ssh/id_rsa - Targeted for credential theft.
    • ~/.ssh/id_ed25519 - Targeted for credential theft.
    • ~/.aws/credentials - Targeted for credential theft.
    • ~/.npmrc - Targeted for credential theft.
    • ~/.gem/credentials - Targeted for credential theft.
    • ~/.netrc - Targeted for credential theft.
    • ~/.config/gh/hosts.yml - Targeted for credential theft.
    • ~/.gitconfig - Targeted for credential theft.
    • ~/.docker/config.json - Targeted for credential theft.
    • ~/.kube/config - Targeted for credential theft.
  • Other:
    • knot-devise-jwt-helper - Malicious Ruby gem
    • knot-rack-session-store - Malicious Ruby gem
    • knot-rails-assets-pipeline - Malicious Ruby gem
    • knot-rspec-formatter-json - Malicious Ruby gem
    • knot-date-utils-rb - Malicious Ruby gem (sleeper)
    • knot-simple-formatter - Malicious Ruby gem (sleeper)

Related