Ruby and Go Supply Chain Attack: Discover the Sleeper Risk

A new supply chain attack targets Ruby and Go using sleeper packages and fake wrappers. Learn how to protect CI/CD pipelines and corporate secrets.

Ruby and Go Supply Chain Attack: Discover the Sleeper Risk

Continuous integration pipelines are turning into vectors of silent compromise. On May 1, 2026, a new software supply chain attack campaign exploited sleeper packages and fake wrappers in Go modules to steal credentials and tamper with GitHub Actions. The activity, attributed to the GitHub account 'BufferZoneCorp', targeted the Ruby and Go ecosystems, compromising build environments through elusive techniques designed to bypass CI/CD checks.

The evolution of the supply chain attack between Ruby gems and Go modules

A supply chain attack targets a company's vendors, partners, or software dependencies to infiltrate or disrupt corporate systems. Attackers poison legitimate workflows, such as code repositories or package managers, resulting in the covert distribution of malware. The campaign detected on May 1, 2026, falls into this context, demonstrating a significant evolution in compromise methodologies compared to previously observed mass techniques. As early as 2025, far-reaching campaigns like Shai-Hulud 2.0 on npm and PyPI exploited a self-replicating worm hitting tens of millions of downloads, while other initiatives flooded registries with tens of thousands of useless packages. Today's attack represents a significant shift toward targeted sophistication: the use of sleeper modules and fake wrappers evades mass noise, preferring invisibility within specific CI/CD pipelines.

The GitHub account 'BufferZoneCorp' published repositories associated with malicious Ruby gems and Go modules. As highlighted by Kirill Boychenko, a security researcher at Socket, "The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems". The campaign involved a total of 9 Go modules, 2 of which were defined as "sleeper modules", capable of remaining inactive until triggered in specific environments. The use of sleeper modules likely serves as a shield to evade automated static analysis in package registries, activating only when the execution context proves profitable.

Credential theft and code injection in Ruby gems

The Ruby attack vector exploited packages mimicking trusted libraries, using prefixes like 'knot-' (e.g., knot-activesupport-logger) and the RubyGems profile 'knot-theory'. This typosquatting technique deceives developers searching for legitimate dependencies. Once installed, these packages automate credential theft by exploiting the native extension build process. In Ruby, native extensions require the execution of compilation commands during installation; this legitimate dynamic is hijacked to execute malicious code with the privileges of the user or the CI system.

The payload steals environment variables, SSH keys, AWS secrets, .npmrc, .netrc files, GitHub CLI configuration, and RubyGems credentials. The stolen data is exfiltrated in JSON format to a Webhook.site endpoint controlled by the attackers, suppressing errors to avoid suspicion during the build process. Regarding the removal status of these packages, sources provide conflicting information: while one source indicates that the RubyGems packages were removed at the time of publication, another states that the Ruby gems remained active during initial investigations. This suggests that the exposure window might have been wider than expected before complete blocking by the registry maintainers.

Sleeper modules and fake wrappers evade CI/CD checks

The attack on the Go ecosystem showed an even higher level of sophistication, directly aiming at the compromise of continuous integration and delivery pipelines. Go modules execute advanced payloads via the init() function, which is automatically called when the module is imported. The malicious code detects the presence of the GITHUB_ENV and GITHUB_PATH variables, confirming that it is inside a GitHub Actions runner. In this environment, the module sets HTTP_PROXY and HTTPS_PROXY, potentially allowing the interception of outbound network traffic from the build system.

Furthermore, the attack writes a fake go executable in a cache directory and adds it to the workflow path by altering GITHUB_PATH. This fake wrapper intercepts subsequent go executions. As explained by Kirill Boychenko, "That wrapper can then intercept or influence later go executions while still passing control to the legitimate binary to avoid breaking the job". By passing control to the legitimate binary, the malware prevents the CI/CD job from failing, ensuring that the intervention remains invisible to developers. Some Go modules also disable checksum verification or remove dependency entries from project files; this move likely serves to intercept and hijack legitimate packages in later stages of dependency resolution.

SSH persistence and impact on build environments

Beyond data theft and traffic interception, the campaign aimed to ensure persistent access to compromised servers. If the initial credential exfiltration is successful, the payload adds a hardcoded SSH public key to the user's authorized_keys file. This action grants attackers persistent remote access to the build environment, regardless of the initial supply chain vulnerability. Build environments and CI runners are high-value targets because they hold production secrets, signing keys, and access to deployment systems. Once SSH access is obtained, attackers can move laterally, inject code directly into production releases, or exfiltrate further sensitive data.

Since sources do not indicate the availability of specific patches for this campaign, network segmentation, limiting the Internet exposure of devices, and isolating CI/CD runners represent the priority defensive measures to mitigate similar compromises. Always verifying code integrity using cryptographic hashes to confirm the authenticity of software packages, without relying solely on tags, and adopting secure credential management, avoiding storing secrets in plain text in code or logs, is essential to reduce the attack surface. The adoption of continuous monitoring systems to promptly detect anomalous behaviors or unauthorized access attempts completes the framework of necessary countermeasures.

Frequently asked questions

How do sleeper packages work in supply chain attacks?
Sleeper packages remain inactive or exhibit seemingly harmless behavior until they are in a specific environment, such as a CI/CD pipeline. This allows them to bypass automated security checks and activate the malicious payload only when conditions, such as a runner's environment variables, are met.
How do Ruby gems steal credentials during installation?
Malicious Ruby gems exploit the native extension build process, which automatically executes scripts during installation. This mechanism is used to copy environment variables, SSH keys, and AWS secrets, sending them to a remote endpoint and suppressing errors to avoid raising suspicion.
Why is the fake wrapper in Go modules dangerous for CI/CD pipelines?
The fake wrapper replaces the legitimate executable by intercepting subsequent go commands, but passes control to the original binary to avoid interrupting the job. This ensures that the build process does not fail, allowing the malware to operate in the background without developers noticing anomalies in the pipeline.

The information has been verified against the cited sources and updated at the time of publication.

Sources