Sleeper Ruby Gems and Go Modules Hijack CI Pipelines for Credential Theft

A GitHub account operating as BufferZoneCorp seeded RubyGems and Go module ecosystems with typosquatted packages mimicking well-known libraries like activesupport-logger, devise-jwt, go-retryablehttp, and config-loader. Socket researcher Kirill Boychenko traced the cluster across two ecosystems, finding sleeper packages used as quiet conduits before later versions delivered active payloads. RubyGems has yanked the gems and the Go modules have been blocked, but the campaign demonstrates a deliberate two-stage approach designed to clear initial review and slip malicious updates into pinned dependencies.

The Ruby gems trigger at install time to scrape a wide credential surface — environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI config, and RubyGems tokens — and exfiltrate the haul to a Webhook.site endpoint. The Go modules go further by abusing CI semantics directly: an init() function detects GITHUB_ENV and GITHUB_PATH, sets HTTP/HTTPS proxies, drops a fake go binary into a cache directory, and prepends that directory to the workflow PATH so subsequent go invocations route through an attacker-controlled wrapper that still calls the real binary to avoid visible breakage. Several modules also append a hard-coded public key to ~/.ssh/authorized_keys, granting persistent remote access to any host that imports them.

The payloads are split across the cluster rather than bundled, which complicates IOC-based detection and lets each module target a narrow capability. Affected developers and CI operators need to purge the packages, audit ~/.ssh/authorized_keys for unknown keys, rotate every credential in the targeted file set, and pull egress logs for traffic to the exfiltration host. The bigger lesson is the GitHub Actions wrapper trick — a quiet PATH-shimming pattern that turns a single transitive dependency into a foothold across an entire build environment.