Full Report
A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account "BufferZoneCorp," which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of
Analysis Summary
# Tool/Technique: BufferZoneCorp Supply Chain Attack
## Overview
This is a coordinated software supply chain campaign targeting developers and Continuous Integration (CI) environments across the RubyGems and Go ecosystems. The attack utilizes "sleeper packages"—malicious libraries that remain dormant or appear legitimate before being updated or triggered to deliver payloads that steal credentials and establish persistence.
## Technical Details
- **Type:** Malware / Supply Chain Attack
- **Platform:** Linux, macOS, CI/CD Environments (specifically GitHub Actions)
- **Capabilities:** Credential theft, CI/CD pipeline tampering, environment variable harvesting, and SSH persistence.
- **First Seen:** May 01, 2026 (Reported date)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools]
- **[TA0003 - Persistence]**
- [T1098.004 - Account Manipulation: SSH Authorized Keys]
- **[TA0005 - Defense Evasion]**
- [T1036.005 - Masquerading: Device Driver Manager] (Typosquatting/Mimicking legitimate modules)
- [T1574.007 - Hijack Execution Flow: Path Extension Precedence]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- [T1552.001 - Unsecured Credentials: Credentials in Files]
- **[TA0010 - Exfiltration]**
- [T1567 - Exfiltration Over Web Service]
## Functionality
### Core Capabilities
- **Credential Harvesting:** Automatically scrapes high-value secrets including AWS secrets, SSH keys, `.npmrc`, `.netrc`, GitHub CLI configurations, and RubyGems credentials.
- **Environment Variable Theft:** Captures all system environment variables, which often contain sensitive API keys and tokens in CI/CD environments.
- **Exfiltration:** Utilizes Webhook[.]site endpoints to funnel stolen data out of the compromised environment.
### Advanced Features
- **CI/CD Tampering:** Specifically targets GitHub Actions by detecting `GITHUB_ENV` and `GITHUB_PATH` variables.
- **Binary Proxying:** In Go environments, the malware writes a fake `go` executable to a cache directory and prepends it to the system `PATH`. This "wrapper" intercepts commands, allowing the attacker to influence builds while passing the final execution to the legitimate binary to avoid detection.
- **Sleeper Mechanism:** Includes "knot-date-utils-rb" and "log-core" packages designed to remain inconspicuous until a later stage of the attack.
- **Network Proxy Manipulation:** Sets `HTTP_PROXY` and `HTTPS_PROXY` within the build environment to intercept or redirect traffic.
## Indicators of Compromise
- **File Names:**
- `~/.ssh/authorized_keys` (Modified to include attacker keys)
- `go` (Fake wrapper binary in cache directories)
- **Network Indicators:**
- `webhook[.]site` (Exfiltration endpoint)
- `github[.]com/BufferZoneCorp/*` (Malicious Go repository path)
- **Behavioral Indicators:**
- Unexpected modifications to the `PATH` environment variable in CI runners.
- Outbound HTTPS requests to `webhook.site` from build servers.
- Presence of unauthorized SSH public keys.
## Associated Threat Actors
- **BufferZoneCorp** (GitHub account profile used for distribution)
## Detection Methods
- **Signature-based detection:** Scanning for the following malicious package names:
- **Ruby:** `knot-activesupport-logger`, `knot-devise-jwt-helper`, `knot-rack-session-store`, `knot-rails-assets-pipeline`, `knot-rspec-formatter-json`, `knot-date-utils-rb`, `knot-simple-formatter`.
- **Go:** `go-metrics-sdk`, `go-weather-sdk`, `go-retryablehttp`, `go-stdlib-ext`, `grpc-client`, `net-helper`, `config-loader`, `log-core`, `go-envconfig`.
- **Behavioral detection:** Monitoring for CI/CD workflows that modify `~/.ssh/authorized_keys` or write unexpected binaries to the `PATH`.
- **Audit Logs:** Reviewing RubyGems and Go module dependency trees for the "knot-" prefix or "BufferZoneCorp" source.
## Mitigation Strategies
- **Dependency Pinning:** Use lockfiles (e.g., `Gemfile.lock`, `go.sum`) and verify checksums for all external dependencies.
- **Secret Rotation:** Immediately rotate all AWS, GitHub, NPM, and SSH keys if any of the listed packages were present in the environment.
- **CI/CD Hardening:** Use "Minimal Privilege" permissions for GITHUB_TOKEN and restrict network access for CI runners to only necessary domains.
- **Integrity Checks:** Regularly audit `~/.ssh/authorized_keys` on development machines and build agents.
## Related Tools/Techniques
- **Typosquatting:** Similar to historical attacks where malicious users register names similar to popular libraries (e.g., `activesupport-logger`).
- **Dependency Confusion:** Exploiting the way package managers prioritize internal vs. external repositories.