Poisoned Ruby Gems and Go Modules Compromise CI Pipelines, Steal Credentials, and Tamper with GitHub Actions
What Happened — A supply‑chain campaign authored by the GitHub account BufferZoneCorp published malicious Ruby gems and Go modules that act as sleeper packages. When these packages are added to a project’s dependency list, they later download additional payloads that harvest credentials, modify GitHub Actions workflows, and establish persistent SSH back‑doors on build runners.
Why It Matters for TPRM —
- Third‑party libraries are a common vector for credential leakage and build‑environment compromise.
- Compromised CI pipelines can give attackers unfettered access to downstream services and data.
- The attack leverages trusted package registries, making detection difficult for downstream organizations.
Who Is Affected — Software development firms, SaaS providers, fintech platforms, healthcare tech, and any organization that consumes Ruby gems or Go modules in CI/CD pipelines.
Recommended Actions —
- Audit all Ruby gem and Go module dependencies for unexpected versions or unpublished sources.
- Enforce signed package verification (e.g., RubyGems signing, Go module checksum verification).
- Harden GitHub Actions runners: use minimal permissions, rotate secrets regularly, and enable provenance checks.
- Monitor for anomalous outbound traffic from build agents and for new SSH keys on CI hosts.
Technical Notes — The attacker uses a “sleeper” technique: the initial package is benign, later pulling a second‑stage payload via HTTP(S). The payload includes a credential‑stealing script (key‑logger for environment variables) and a GitHub Actions workflow tampering module that injects malicious steps. Persistence is achieved by adding an SSH public key to the runner’s authorized_keys file. No public CVE is associated; the vector is a third‑party dependency exploit. Source: The Hacker News