Find notable cyber news and cases, enriched with sources, timelines, and signals.

BufferZoneCorp sleeper-package supply chain campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The BufferZoneCorp software supply chain campaign is pushing malicious Ruby gems and Go modules that can steal credentials, tamper with GitHub Actions, and persist on compromised hosts. The packages target developers, CI runners, and build environments across Ruby and Go ecosystems, widening exposure beyond a single project. The packages were designed to masquerade as trusted libraries, which raises the chance of accidental installation. The threat matters because install-time execution can leak secrets and alter build pipelines before defenders notice.

Related Happenings

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Hades Bun-powered JavaScript stealer on PyPI

Malware Activity
H score34 First: 09.06.2026 12:13 Last: 09.06.2026 12:13 Sources 1

About this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...

Asteroiddao hit by network compromise

Incident
H score13 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...

Timeline

  1. 01.05.2026 12:43 2 articles · 2mo ago

    Sleeper packages enable credential theft and GitHub Actions tampering

    Technical Analysis Update

    Sleeper Ruby gems and Go modules in the BufferZoneCorp cluster were observed enabling install-time credential theft, GitHub Actions tampering, SSH persistence, and exfiltration to a Webhook[.]site endpoint. The Go side could execute through `init()`, detect `GITHUB_ENV` and `GITHUB_PATH`, set `HTTP_PROXY` and `HTTPS_PROXY`, write a fake go executable into a cache directory, and append that directory to the workflow path so later `go` executions could be intercepted without breaking the job.

    Show sources
  2. 01.05.2026 12:43 1 articles · 2mo ago

    BufferZoneCorp attribution for malicious Ruby gems and Go modules

    Attribution Update

    The GitHub account BufferZoneCorp was attributed with publishing repositories tied to malicious Ruby gems and Go modules that masqueraded as trusted libraries to target developers, CI runners, and build environments across Ruby and Go. The package cluster included sleeper gems and sleeper modules alongside libraries that copied familiar names to reduce suspicion during installation.

    Show sources