Feed
HighPublished 1 May 202616 packages · 0 versions

BufferZoneCorp sleeper attack on RubyGems + Go modules

Summary

Socket disclosed a coordinated sleeper-package campaign attributed to the GitHub org BufferZoneCorp (and RubyGems user knot-theory). Initially-clean Ruby gems and Go modules were updated to malicious versions. The Ruby side harvests env vars, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI config, and RubyGems credentials; the Go side tampers with GitHub Actions workflows, injects fake executables, and adds SSH persistence via authorized_keys. First confirmed 2026 RubyGems + Go module supply-chain campaign.

credential-theftci-cd-compromisemaintainer-takeoverobfuscation
Threat actor
BufferZoneCorp
Detected by
Socket
Ecosystems
GoRubyGems
Packages tracked
16

What happened

Socket disclosed the BufferZoneCorp campaign on 2026-05-01 — the first confirmed cross-ecosystem RubyGems + Go supply-chain operation of 2026. The threat actor (publishing as the GitHub org BufferZoneCorp and the RubyGems user knot-theory) published initially-clean packages, built modest install counts, and then quietly pushed malicious updates. This two-stage pattern defeats lockfile-only defences when the lock captured the malicious version.

On the Ruby side, execution fires at install time through extconf.rb. The payload filters environment variables for keywords such as token, key, secret, pass, aws, github, api, and auth, then walks the developer's home directory to grab SSH keys, ~/.aws/credentials, .npmrc, .netrc, GitHub CLI config (~/.config/gh), and the RubyGems credentials file. Results are POSTed to attacker-controlled webhook.site URLs.

The Go modules take a more aggressive CI/CD-focused approach: they tamper with GOPROXY, disable checksum verification, and remove entries from go.sum to weaken downstream dependency trust. Some variants drop fake Go wrappers into $PATH to capture later invocations, and several modules establish SSH persistence by appending a hardcoded public key (labelled deploy@buildserver) to ~/.ssh/authorized_keys. A handful also rewrite GitHub Actions workflows to inject extra steps that exfiltrate secrets.* from the runner.

  • Ruby IOC: extconf.rb POSTing to webhook.site/<uuid>
  • Go IOC: an authorized_keys entry with the deploy@buildserver comment, or unexpected modifications to GONOSUMCHECK/GOPROXY
  • Cross-ecosystem reach from a single actor: 7 gems under the knot-* prefix and 9 Go modules under github.com/BufferZoneCorp/*

Affected packages (16)

  • Gogithub.com/BufferZoneCorp/config-loader
  • Gogithub.com/BufferZoneCorp/go-envconfig
  • Gogithub.com/BufferZoneCorp/go-metrics-sdk
  • Gogithub.com/BufferZoneCorp/go-retryablehttp
  • Gogithub.com/BufferZoneCorp/go-stdlib-ext
  • Gogithub.com/BufferZoneCorp/go-weather-sdk
  • Gogithub.com/BufferZoneCorp/grpc-client
  • Gogithub.com/BufferZoneCorp/log-core
  • Gogithub.com/BufferZoneCorp/net-helper
  • RubyGemsknot-activesupport-logger
  • RubyGemsknot-date-utils-rb
  • RubyGemsknot-devise-jwt-helper
  • RubyGemsknot-rack-session-store
  • RubyGemsknot-rails-assets-pipeline
  • RubyGemsknot-rspec-formatter-json
  • RubyGemsknot-simple-formatter

Impact

  • Two-stage publish defeats lockfile-based defences if locks captured the malicious update
  • Targets CI/CD credentials and SSH persistence
  • Cross-ecosystem reach (Ruby + Go) from a single threat actor

What to do

  1. 1Remove the listed gems and modules from Gemfile.lock and go.sum
  2. 2Audit ~/.ssh/authorized_keys for unauthorised entries (key labelled deploy@buildserver)
  3. 3Block egress to webhook.site exfiltration endpoints

References

multi-2026-05-01-bufferzonecorp-rubygems-go