A new software supply chain campaign has been observed using sleeper packages in RubyGems and Go modules to push malicious payloads that enable credential theft, GitHub Actions tampering and SSH persistence. The activity has been attributed to the GitHub account BufferZoneCorp, which has published repositories tied to malicious Ruby gems and Go modules; as of now the packages have been yanked from RubyGems and the Go modules have been blocked.
The Ruby gems target credential theft by harvesting environment variables, SSH keys, AWS secrets, and various configuration files, with stolen data exfiltrated to an attacker‑controlled webhook site.
The Go modules are broader in scope, capable of tampering with GitHub Actions workflows, planting fake wrappers, stealing developer data and adding a hard‑coded SSH public key to the user’s ~/.ssh/authorized_keys for remote access; the payloads are distributed across a cluster and do not all share the same functionality.
According to Socket security researcher Kirill Boychenko, the module executes via init(), detects GITHUB_ENV and GITHUB_PATH, sets HTTP_PROXY and HTTPS_PROXY, writes a fake go executable into a cache directory, and appends that directory to the workflow path so the wrapper is chosen before the real binary, allowing interception while preserving job execution.
Users who installed the packages are advised to remove them, rotate exposed credentials and review for signs of unauthorized access or changes, including outbound HTTPS traffic to the exfiltration point.