BufferZoneCorp sleeper-package supply chain campaign
Campaign
Summary
Hide ▲
Show ▼
The BufferZoneCorp software supply chain campaign is pushing malicious Ruby gems and Go modules that can steal credentials, tamper with GitHub Actions, and persist on compromised hosts. The packages target developers, CI runners, and build environments across Ruby and Go ecosystems, widening exposure beyond a single project. The packages were designed to masquerade as trusted libraries, which raises the chance of accidental installation. The threat matters because install-time execution can leak secrets and alter build pipelines before defenders notice.
Related Happenings
Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
H score40
First: 09.07.2026 18:09
Last: 09.07.2026 18:09
Sources 1
About this happening:
The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI payment SDK typosquat packages
Malware ActivityAbout this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/Service
H score11
First: 23.06.2026 17:22
Last: 23.06.2026 17:22
Sources 1
About this happening:
GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/ServiceAbout this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
Hades Bun-powered JavaScript stealer on PyPI
Malware Activity
H score34
First: 09.06.2026 12:13
Last: 09.06.2026 12:13
Sources 1
About this happening:
A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Hades Bun-powered JavaScript stealer on PyPI
Malware ActivityAbout this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Asteroiddao hit by network compromise
Incident
H score13
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Asteroiddao hit by network compromise
IncidentAbout this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Timeline
-
01.05.2026 12:43 2 articles · 2mo ago
Sleeper packages enable credential theft and GitHub Actions tampering
Technical Analysis UpdateSleeper Ruby gems and Go modules in the BufferZoneCorp cluster were observed enabling install-time credential theft, GitHub Actions tampering, SSH persistence, and exfiltration to a Webhook[.]site endpoint. The Go side could execute through `init()`, detect `GITHUB_ENV` and `GITHUB_PATH`, set `HTTP_PROXY` and `HTTPS_PROXY`, write a fake go executable into a cache directory, and append that directory to the workflow path so later `go` executions could be intercepted without breaking the job.
Show sources
- Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43
- Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43
-
01.05.2026 12:43 1 articles · 2mo ago
BufferZoneCorp attribution for malicious Ruby gems and Go modules
Attribution UpdateThe GitHub account BufferZoneCorp was attributed with publishing repositories tied to malicious Ruby gems and Go modules that masqueraded as trusted libraries to target developers, CI runners, and build environments across Ruby and Go. The package cluster included sleeper gems and sleeper modules alongside libraries that copied familiar names to reduce suspicion during installation.
Show sources
- Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43