Malicious Ruby gems and Go modules infect CI pipelines
GitHub account BufferZoneCorp published sleeper Ruby gems and Go modules that stole CI environment credentials, altered GitHub Actions workflows and added SSH persistence.
A cluster of malicious Ruby gems and Go modules published by the GitHub account BufferZoneCorp targeted continuous integration pipelines and developer systems to steal environment credentials, modify GitHub Actions workflows and add SSH persistence. The activity was described in an analysis by Socket researcher Kirill Boychenko published today.
The packages were published to RubyGems and GitHub repositories offering Go modules. RubyGems maintainers removed the identified gems and the Go modules were blocked at the time of the report. Identified Ruby packages include knot-activesupport-logger, knot-devise-jwt-helper, knot-rack-session-store, knot-rails-assets-pipeline, knot-rspec-formatter-json, knot-date-utils-rb and knot-simple-formatter. Go repositories tied to the campaign include github.com/BufferZoneCorp/go-metrics-sdk, go-weather-sdk, go-retryablehttp, go-stdlib-ext, grpc-client, net-helper, config-loader, log-core and go-envconfig.
The campaign used sleeper packages that impersonated popular libraries to increase the chance developers would download them. The Ruby gems executed code during installation to collect environment variables, SSH keys, AWS secrets, .npmrc and .netrc files, GitHub CLI configuration and RubyGems credentials. Collected data was sent to an attacker-controlled Webhook.site endpoint.
The Go modules delivered a set of capabilities aimed at interfering with CI jobs and enabling persistent access. The modules run initialization code via init(), check for GITHUB_ENV and GITHUB_PATH, set HTTP_PROXY and HTTPS_PROXY variables, and write a fake go executable into a cache directory. That cache directory is then added to the workflow path so the wrapper can run before the real go binary. Some modules appended a hard-coded SSH public key to ~/.ssh/authorized_keys to enable remote access. Payloads and functions were spread across multiple packages rather than centralized in a single module.
The analysis recommends that developers and CI operators who installed or referenced these packages remove them immediately, inspect build environments and developer machines for unauthorized access, rotate any exposed credentials, and examine ~/.ssh/authorized_keys for unexpected entries. Teams should also review network logs for outbound HTTPS traffic to unknown endpoints such as webhook.site.
The repositories linked to the campaign have been taken down or blocked. The public report provides indicators of compromise and behavioral details for teams to use when investigating affected systems.
