BufferZoneCorp sleeper attack on RubyGems + Go modules
Socket disclosed a coordinated sleeper-package campaign attributed to the GitHub org BufferZoneCorp (and RubyGems user knot-theory). Initially-clean Ruby gems and Go modules were updated to malicious versions. The Ruby side harvests env vars, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI config, and RubyGems credentials; the Go side tampers with GitHub Actions workflows, injects fake executables, and adds SSH persistence via authorized_keys. First confirmed 2026 RubyGems + Go module supply-chain campaign.
- Threat actor
- BufferZoneCorp
- Detected by
- Socket
- Ecosystems
- GoRubyGems
- Packages tracked
- 16
What happened
Socket disclosed the BufferZoneCorp campaign on 2026-05-01 — the first confirmed cross-ecosystem RubyGems + Go supply-chain operation of 2026. The threat actor (publishing as the GitHub org BufferZoneCorp and the RubyGems user knot-theory) published initially-clean packages, built modest install counts, and then quietly pushed malicious updates. This two-stage pattern defeats lockfile-only defences when the lock captured the malicious version.
On the Ruby side, execution fires at install time through extconf.rb. The payload filters environment variables for keywords such as token, key, secret, pass, aws, github, api, and auth, then walks the developer's home directory to grab SSH keys, ~/.aws/credentials, .npmrc, .netrc, GitHub CLI config (~/.config/gh), and the RubyGems credentials file. Results are POSTed to attacker-controlled webhook.site URLs.
The Go modules take a more aggressive CI/CD-focused approach: they tamper with GOPROXY, disable checksum verification, and remove entries from go.sum to weaken downstream dependency trust. Some variants drop fake Go wrappers into $PATH to capture later invocations, and several modules establish SSH persistence by appending a hardcoded public key (labelled deploy@buildserver) to ~/.ssh/authorized_keys. A handful also rewrite GitHub Actions workflows to inject extra steps that exfiltrate secrets.* from the runner.
- Ruby IOC:
extconf.rbPOSTing towebhook.site/<uuid> - Go IOC: an
authorized_keysentry with thedeploy@buildservercomment, or unexpected modifications toGONOSUMCHECK/GOPROXY - Cross-ecosystem reach from a single actor: 7 gems under the
knot-*prefix and 9 Go modules undergithub.com/BufferZoneCorp/*
Affected packages (16)
- Go
github.com/BufferZoneCorp/config-loader - Go
github.com/BufferZoneCorp/go-envconfig - Go
github.com/BufferZoneCorp/go-metrics-sdk - Go
github.com/BufferZoneCorp/go-retryablehttp - Go
github.com/BufferZoneCorp/go-stdlib-ext - Go
github.com/BufferZoneCorp/go-weather-sdk - Go
github.com/BufferZoneCorp/grpc-client - Go
github.com/BufferZoneCorp/log-core - Go
github.com/BufferZoneCorp/net-helper - RubyGems
knot-activesupport-logger - RubyGems
knot-date-utils-rb - RubyGems
knot-devise-jwt-helper - RubyGems
knot-rack-session-store - RubyGems
knot-rails-assets-pipeline - RubyGems
knot-rspec-formatter-json - RubyGems
knot-simple-formatter
Impact
- Two-stage publish defeats lockfile-based defences if locks captured the malicious update
- Targets CI/CD credentials and SSH persistence
- Cross-ecosystem reach (Ruby + Go) from a single threat actor
What to do
- 1Remove the listed gems and modules from
Gemfile.lockandgo.sum - 2Audit
~/.ssh/authorized_keysfor unauthorised entries (key labelleddeploy@buildserver) - 3Block egress to webhook.site exfiltration endpoints