Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Staff Editor 2026-05-01
Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html

Publish Date: 2026-05-01 05:43:00

Source Domain: thehackernews.com

Ravie LakshmananMay 01, 2026Supply Chain Attack / Malware

A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence.

The activity has been attributed to the GitHub account “BufferZoneCorp,” which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of writing, the packages have been yanked from RubyGems, and the Go modules have been blocked. The names of the libraries are listed below –

  • Ruby:
    • knot-activesupport-logger
    • knot-devise-jwt-helper
    • knot-rack-session-store
    • knot-rails-assets-pipeline
    • knot-rspec-formatter-json
    • knot-date-utils-rb (Sleeper gem)
    • knot-simple-formatter (Sleeper gem)
  • Go:
    • github[.]com/BufferZoneCorp/go-metrics-sdk
    • github[.]com/BufferZoneCorp/go-weather-sdk
    • github[.]com/BufferZoneCorp/go-retryablehttp
    • github[.]com/BufferZoneCorp/go-stdlib-ext
    • github[.]com/BufferZoneCorp/grpc-client
    • github[.]com/BufferZoneCorp/net-helper
    • github[.]com/BufferZoneCorp/config-loader
    • github[.]com/BufferZoneCorp/log-core (Sleeper module)
    • github[.]com/BufferZoneCorp/go-envconfig (Sleeper module)

The identified packages masquerade as recognizable and well-known modules like activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, and config-loader so as to evade detection and trick users into downloading them.

“The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems,” Socket security researcher Kirill Boychenko said in an analysis published today.

The Ruby gems are designed to automate credential theft during install time, harvesting environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. The stolen data is then exfiltrated to an attacker-controlled Webhook[.]site endpoint.

On the other hand, the Go modules harbor…

Source

More Stories

Three highlights in latest DHS spending bill

Three highlights in latest DHS spending bill

Staff Editor 2026-06-05
Mountain Rides resolves cybersecurity threat | Transportation

Mountain Rides resolves cybersecurity threat | Transportation

Staff Editor 2026-06-05
NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy