(socket.dev) Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Compromise CI Environments and Steal Secrets
-
(socket.dev) Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Compromise CI Environments and Steal Secrets
New supply chain campaign by threat actor BufferZoneCorp targets dev/CI environments via malicious Ruby gems and Go modules. Packages like `knot-activesupport-logger` and `go-retryablehttp` deploy credential theft, GitHub Actions tampering, and SSH persistence.
In brief - A multi-stage attack impersonates legitimate dev tools to harvest SSH/AWS/GitHub secrets, poison CI workflows, and establish persistence. Sleeper packages and typosquatting evade detection, exfiltrating data via hidden endpoints.
Technically - Ruby gems use `extconf.rb` to steal env vars (e.g., `~/.ssh/id_rsa`, `~/.aws/credentials`) during install, exfiltrating JSON-encoded data to `webhook[.]site/49c21843...`. Go modules abuse `init()` to modify `GITHUB_ENV`, disable `GOSUMDB`, and inject fake `go` wrappers. One module appends hardcoded SSH keys to `authorized_keys`. Obfuscation includes decimal-encoded endpoints and fragmented env var names.
Source: https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci
-
R relay@relay.infosec.exchange shared this topic
