Compromise of Ruby gems and Go modules via poisoned packages leads to credential theft and CI pipeline manipulation

First reported

01.05.2026 12:43

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A coordinated software supply chain attack leveraged sleeper packages in RubyGems and Go modules to deploy malicious payloads targeting CI pipelines, enabling credential theft, GitHub Actions tampering, and SSH persistence. The attack originated from the GitHub account "BufferZoneCorp", which published repositories and packages disguised as legitimate libraries such as activesupport-logger and go-retryablehttp. The malicious packages were designed to harvest environment variables, SSH keys, AWS secrets, and developer credentials, exfiltrating data to attacker-controlled endpoints. Go modules also contained functionality to manipulate GitHub Actions workflows, inject fake Go wrappers, and add persistent SSH access via authorized_keys. As of reporting, all identified packages have been yanked or blocked.

Timeline

01.05.2026 12:43 1 articles · 1h ago

Poisoned Ruby gems and Go modules linked to credential theft and SSH persistence in CI pipelines
Malicious packages published under "BufferZoneCorp" on GitHub were distributed via RubyGems and Go modules, including sleeper packages, to harvest credentials and manipulate CI workflows. Ruby gems targeted credential theft during installation, while Go modules injected fake Go wrappers to intercept build steps and establish SSH persistence. Packages have been removed from distribution channels following discovery.
Show sources

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43
Open in new tab

Information Snippets

Attacker-controlled GitHub account "BufferZoneCorp" published malicious Ruby gems and Go modules, including sleeper packages, across RubyGems and Go ecosystems.
First reported: 01.05.2026 12:43

1 source, 1 article
Show sources
- Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43
Malicious Ruby gems were designed to steal environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials during installation, exfiltrating data to a Webhook.site endpoint.
First reported: 01.05.2026 12:43

1 source, 1 article
Show sources
- Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43
Go modules included functionality to tamper with GitHub Actions workflows, inject fake Go wrappers that intercept subsequent Go executions while maintaining legitimate binary operation, steal developer data, and add hard-coded SSH public keys to ~/.ssh/authorized_keys for remote persistence.
First reported: 01.05.2026 12:43

1 source, 1 article
Show sources
- Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43
The Go module payloads detected environment variables GITHUB_ENV and GITHUB_PATH, set HTTP_PROXY and HTTPS_PROXY, and appended a fake Go binary cache directory to the workflow PATH to hijack execution flow.
First reported: 01.05.2026 12:43

1 source, 1 article
Show sources
- Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43
Affected packages have been yanked from RubyGems and blocked in the Go module ecosystem as of the report date.
First reported: 01.05.2026 12:43

1 source, 1 article
Show sources
- Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft — thehackernews.com — 01.05.2026 12:43

Summary

Timeline

Poisoned Ruby gems and Go modules linked to credential theft and SSH persistence in CI pipelines

Information Snippets