Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

BufferZoneCorp sleeper-package supply chain campaign

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The BufferZoneCorp software supply chain campaign is pushing malicious Ruby gems and Go modules that can steal credentials, tamper with GitHub Actions, and persist on compromised hosts. The packages target developers, CI runners, and build environments across Ruby and Go ecosystems, widening exposure beyond a single project. The packages were designed to masquerade as trusted libraries, which raises the chance of accidental installation. The threat matters because install-time execution can leak secrets and alter build pipelines before defenders notice.

Related Happenings

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Packagist package.json hook supply chain attack campaign

Campaign
First: 23.05.2026 19:07 Last: 23.05.2026 19:07 Sources 1

About this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

Timeline

  1. 01.05.2026 12:43 2 articles · 26d ago

    Sleeper packages enable credential theft and GitHub Actions tampering

    Technical Analysis Update

    Sleeper Ruby gems and Go modules in the BufferZoneCorp cluster were observed enabling install-time credential theft, GitHub Actions tampering, SSH persistence, and exfiltration to a Webhook[.]site endpoint. The Go side could execute through `init()`, detect `GITHUB_ENV` and `GITHUB_PATH`, set `HTTP_PROXY` and `HTTPS_PROXY`, write a fake go executable into a cache directory, and append that directory to the workflow path so later `go` executions could be intercepted without breaking the job.

    Show sources
    Open in new tab
  2. 01.05.2026 12:43 1 articles · 26d ago

    BufferZoneCorp attribution for malicious Ruby gems and Go modules

    Attribution Update

    The GitHub account BufferZoneCorp was attributed with publishing repositories tied to malicious Ruby gems and Go modules that masqueraded as trusted libraries to target developers, CI runners, and build environments across Ruby and Go. The package cluster included sleeper gems and sleeper modules alongside libraries that copied familiar names to reduce suspicion during installation.

    Show sources
    Open in new tab