Waking the Sleepers: The BufferZoneCorp Campaign Poisoning Ruby and Go Ecosystems
Ddos 
RubyGems profile knot-theory tied to the campaign
Security researchers at Socket have uncovered a coordinated software supply chain campaign orchestrated through the GitHub account BufferZoneCorp. The operation targets developers, CI runners, and build environments across both the Ruby and Go ecosystems using a “sleeper” strategy: publishing plausible utility packages that are later weaponized with malicious payloads.
While the Go Security team acted swiftly to block the identified modules, several malicious Ruby gems remains live as of early May 2026.
On the Ruby side, the campaign utilizes gems like knot-activesupport-logger to automate the theft of sensitive credentials. The attack leverages the extconf.rb file, which RubyGems executes automatically during the native extension build process.
The malicious code filters environment variables for keywords such as token, key, secret, aws, and auth. It specifically targets a wide array of local developer files for exfiltration:
- SSH Keys: ~/.ssh/id_rsa and ~/.ssh/id_ed25519
- Cloud & Registry Credentials: ~/.aws/credentials, ~/.npmrc, and ~/.gem/credentials
- Development Tools: GitHub CLI configuration (hosts.yml) and .netrc machine credentials
According to the report, “The install time path is the most consequential because it can run before a user ever explicitly invokes the advertised package functionality”.
The Go-based attacks are more diverse, focusing heavily on compromising CI/CD pipelines. Modules such as go-metrics-sdk and go-retryablehttp execute automatically via the init() function to subvert build environments.
Key malicious behaviors in the Go modules include:
- Dependency Subversion: Poisoning GOPROXY, disabling the checksum database (GOSUMDB=off), and tampering with go.sum to force the re-resolution of dependencies through attacker-controlled settings.
- Path Hijacking: Planting fake go wrappers in the workflow execution path to intercept commands and exfiltrate invocation arguments.
- SSH Backdoors: In one critical instance, a module establishes persistence by appending a hardcoded SSH public key to ~/.ssh/authorized_keys.
Across both ecosystems, the campaign uses shared infrastructure for data collection. Socket identified a hidden exfiltration endpoint—https://webhook[.]site/49c21843-c27c-4a1b-b1f6-037c3998055f—used by both the Ruby and Go payloads.
To evade simple detection, the threat actors used visual and semantic similarity to trusted tools. Gem names were prefixed with knot- (e.g., knot-devise-jwt-helper), while Go modules used names similar to established libraries like HashiCorp’s go-retryablehttp.
The BufferZoneCorp campaign demonstrates a sophisticated understanding of developer workflows and build-system mechanics. Socket recommends that any potentially exposed credentials be rotated immediately.
Recommended Defensive Steps:
- Audit Dependencies: Check for any packages from BufferZoneCorp or the knot-theory RubyGems profile.
- Verify CI/CD Settings: Ensure GOPROXY and GOSUMDB settings have not been tampered with in your GitHub Actions environments.
- Check SSH Keys: Inspect ~/.ssh/authorized_keys for unauthorized entries, specifically those tagged with deploy@buildserver.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
