### Malicious Packages Identified The attacker-controlled GitHub account "**BufferZoneCorp**" published a series of malicious packages across both RubyGems and Go module ecosystems. While the packages have since been removed from RubyGems and blocked, it's crucial to understand the scope of the attack. The following packages were identified: * **Ruby:** * knot-activesupport-logger * knot-devise-jwt-helper * knot-rack-session-store * knot-rails-assets-pipeline * knot-rspec-formatter-json * knot-date-utils-rb (Sleeper gem) * knot-simple-formatter (Sleeper gem) * **Go:** * github[.]com/BufferZoneCorp/go-metrics-sdk * github[.]com/BufferZoneCorp/go-weather-sdk * github[.]com/BufferZoneCorp/go-retryablehttp * github[.]com/BufferZoneCorp/go-stdlib-ext * github[.]com/BufferZoneCorp/grpc-client * github[.]com/BufferZoneCorp/net-helper * github[.]com/BufferZoneCorp/config-loader * github[.]com/BufferZoneCorp/log-core (Sleeper module) * github[.]com/BufferZoneCorp/go-envconfig (Sleeper module) These packages were designed to mimic legitimate and well-known modules such as `activesupport-logger`, `devise-jwt`, `go-retryablehttp`, `grpc-client`, and `config-loader`, increasing the likelihood of developers inadvertently downloading them. ### Attack Vectors and Payload Details According to **Socket** security researcher Kirill Boychenko, "The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems." The Ruby gems are engineered to automatically harvest sensitive information, including environment variables, SSH keys, **AWS** secrets, `.npmrc`, `.netrc`, **GitHub** CLI configuration, and RubyGems credentials during installation. This stolen data is then exfiltrated to a webhook endpoint controlled by the attacker. The Go modules exhibit a broader range of malicious capabilities. These include tampering with **GitHub** Actions workflows, injecting fake Go wrappers, stealing developer data, and adding a hard-coded SSH public key to the `~/.ssh/authorized_keys` file, granting unauthorized remote access. The payloads differ across the modules. Boychenko further explained, "The module executes through init(), detects GITHUB_ENV and GITHUB_PATH, sets HTTP_PROXY and HTTPS_PROXY, writes a fake go executable into a cache directory, and appends that directory to the workflow path so the wrapper is selected before the real binary. That wrapper can then intercept or influence later go executions while still passing control to the legitimate binary to avoid breaking the job." ### Remediation Steps Users who have installed any of the identified packages are strongly advised to take the following steps: * Immediately remove the packages from their systems. * Thoroughly review systems for any signs of unauthorized access to sensitive files or modifications to the `~/.ssh/authorized_keys` file. * Rotate all potentially exposed credentials, including SSH keys, API tokens, and passwords. * Carefully inspect network logs for any outbound HTTPS traffic directed towards the identified exfiltration point.