Poisoned Ruby and Go modules target CI: data theft and SSH access

Colleagues, a cybersecurity alert: a campaign has been found distributing poisoned Ruby gems and Go modules masquerading as popular packages.
- Socket and researcher Kirill Boichenko link the attack to the BufferZoneCorp account and ‘sleeper’ packages.
- The Ruby gems exfiltrate env variables, SSH keys, cloud secrets, .npmrc/.netrc, GitHub CLI credentials and other secrets; they send them to webhook.site.
- The Go modules replace the go binary via a wrapper, interfere with GitHub Actions and add an SSH key to ~/.ssh/authorized_keys.
Remove suspicious dependencies, check ~/.ssh/authorized_keys, rotate credentials and review outbound HTTPS logs.
Why this matters: supply‑chain attacks threaten CI and infrastructure.
Have you scanned your CI dependencies for ‘sleeper’ packages?
#cybersecurity #supplychain #DevOps #CI


Latest comments
No comments yet.