<![CDATA[(socket.dev) Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Compromise CI Environments and Steal Secrets]]>

<![CDATA[(socket.dev) Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Compromise CI Environments and Steal Secrets]]>(socket.dev) Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Compromise CI Environments and Steal Secrets

New supply chain campaign by threat actor BufferZoneCorp targets dev/CI environments via malicious Ruby gems and Go modules. Packages like `knot-activesupport-logger` and `go-retryablehttp` deploy credential theft, GitHub Actions tampering, and SSH persistence.

In brief - A multi-stage attack impersonates legitimate dev tools to harvest SSH/AWS/GitHub secrets, poison CI workflows, and establish persistence. Sleeper packages and typosquatting evade detection, exfiltrating data via hidden endpoints.

Technically - Ruby gems use `extconf.rb` to steal env vars (e.g., `~/.ssh/id_rsa`, `~/.aws/credentials`) during install, exfiltrating JSON-encoded data to `webhook[.]site/49c21843...`. Go modules abuse `init()` to modify `GITHUB_ENV`, disable `GOSUMDB`, and inject fake `go` wrappers. One module appends hardcoded SSH keys to `authorized_keys`. Obfuscation includes decimal-encoded endpoints and fragmented env var names.

Source: https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci

#Cybersecurity #ThreatIntel

]]>https://board.circlewithadot.net/topic/9e2ab213-eeba-4965-9166-9e311f995990/socket.dev-malicious-ruby-gems-and-go-modules-impersonate-developer-tools-to-compromise-ci-environments-and-steal-secretsRSS for NodeFri, 15 May 2026 02:52:45 GMTFri, 01 May 2026 03:02:11 GMT60