Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Summary

A software supply chain attack campaign attributed to the GitHub account "BufferZoneCorp" has been identified using malicious Ruby gems and Go modules. The attack utilizes "sleeper" packages to deploy payloads designed for credential theft, GitHub Actions tampering, and the establishment of SSH persistence within CI/CD pipelines and developer environments.

Key Points

• The campaign targets the Ruby and Go ecosystems using packages that masquerade as well-known libraries, such as activesupport-logger and grpc-client.
• Malicious Ruby gems automate the harvesting of environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configurations, and RubyGems credentials during the installation phase.
• Stolen data from Ruby environments is exfiltrated to an attacker-controlled Webhook[.]site endpoint.
• Malicious Go modules are capable of injecting a hard-coded SSH public key into ~/.ssh/authorized_keys to ensure remote access persistence.
• The Go-based attack employs a wrapper technique by placing a fake go executable in a cache directory and appending that directory to the GITHUB_PATH.
• The Go payload leverages the init() function to detect GITHUB_ENV and GITHUB_PATH and manipulate HTTP_PROXY and HTTPS_PROXY settings.

Technical Details

The attack utilizes a tiered approach via "sleeper" modules—such as knot-date-utils-rb in Ruby and github[.]com/BufferZoneCorp/log-core in Go—to delay malicious activity and evade initial detection. In the Ruby ecosystem, the gems execute malicious logic during the installation process, specifically targeting sensitive configuration files and secrets stored in the environment.

In the Go ecosystem, the attack focuses on intercepting the build process within GitHub Actions. The malicious module uses the init() function to execute code automatically upon import. The payload identifies the presence of a GitHub Actions runner by checking for GITHUB_ENV and GITHUB_PATH. Once identified, it modifies the HTTP_PROXY and HTTPS_PROXY environment variables and writes a fraudulent go binary to a cache directory. By appending this directory to the GITHUB_PATH, the attacker ensures that subsequent go commands in the workflow are intercepted by the fake wrapper. This wrapper is designed to influence or intercept execution while passing control back to the legitimate binary to prevent the CI job from failing and alerting the user.

Impact / Why It Matters

This campaign directly threatens the integrity of CI/CD pipelines and developer workstations by enabling persistent remote access and the theft of cloud infrastructure credentials. Developers and DevOps engineers should audit dependency trees for the "BufferZoneCorp" packages, inspect ~/.ssh/authorized_keys for unauthorized entries, and rotate all exposed secrets and credentials.