Bright Nexus

Published on May 1, 2026

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Severity
Medium

Detail

A new software supply chain attack has been identified involving malicious Ruby gems and Go modules designed to compromise developers, CI/CD pipelines, and build environments. The campaign has been linked to a GitHub account named BufferZoneCorp, which distributed trojanized packages disguised as legitimate and widely used libraries.

According to researchers from Socket, the attackers published multiple packages that mimic trusted dependencies to trick developers into installing them. Some of these packages acted as “sleeper” components, remaining inactive initially before later delivering malicious payloads.

The malicious Ruby gems were engineered to steal sensitive information during installation. This includes environment variables, SSH keys, cloud credentials, and configuration files such as .npmrc, .netrc, and GitHub CLI settings. The stolen data was then exfiltrated to attacker-controlled endpoints.

Meanwhile, the Go modules exhibited more advanced behavior, including tampering with GitHub Actions workflows, planting malicious wrappers, and establishing persistence. One notable technique involved inserting a rogue SSH public key into the system’s authorized_keys file, granting attackers remote access to compromised environments.

Additionally, the malware manipulated CI environments by modifying execution paths and injecting fake binaries, allowing attackers to intercept commands while maintaining normal workflow execution to avoid detection.

How?

The attack chain operates through multiple stages targeting development pipelines:

  • Attackers publish malicious Ruby gems and Go modules disguised as legitimate packages
  • Developers or CI systems install these dependencies unknowingly
  • Ruby gems execute during installation to harvest sensitive credentials and configuration files
  • Data is exfiltrated to attacker-controlled servers
  • Go modules manipulate CI environments by altering execution paths and injecting fake binaries
  • Malicious code tampers with GitHub Actions workflows
  • Attackers establish persistence by adding SSH keys for remote access
  • Compromised environments continue functioning normally, reducing suspicion

Conclusion

This campaign highlights the growing sophistication of software supply chain attacks, particularly targeting development and CI/CD environments. By abusing trusted ecosystems and dependencies, attackers can gain deep access to sensitive systems without triggering traditional security controls. Organizations and developers should:

  • Audit and verify third-party dependencies before installation
  • Use dependency scanning and integrity verification tools
  • Restrict and monitor CI/CD environment permissions
  • Rotate all credentials if compromise is suspected
  • Regularly inspect SSH configurations for unauthorized keys
  • Monitor outbound traffic for suspicious data exfiltration

Source

https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html