Multi-Ecosystem Sleeper Packages Target CI Pipelines for Credential Theft and Persistence

Starting April 29, 2026, researchers identified at least two separate campaigns distributing malicious sleeper packages across RubyGems, npm, Go modules, and other open-source registries. These attacks are designed to exfiltrate developer credentials, hijack GitHub Actions workflows, and secure persistence within continuous integration (CI) pipelines. Because CI runners are often ephemeral and subject to less scrutiny than corporate endpoints, they have become lucrative targets for threat actors—serving as both "ATMs" for secrets and vectors for downstream compromise. This tactical shift focuses not only on secret theft but also on targeting AI coding agent configurations and using interceptor wrappers to influence builds without causing immediate failures.

The Go wrapper mechanism: Hijacking the build binary

The Go modules distributed by the BufferZoneCorp account do more than just execute code upon installation. Analysis by Socket researcher Kirill Boychenko reveals that the packages trigger an interception mechanism that persistently alters the CI runner environment. Using the init() function, the code detects the GITHUB_ENV and GITHUB_PATH environment variables, confirming it is running within a GitHub Actions pipeline. It then sets HTTP_PROXY and HTTPS_PROXY and writes a fraudulent Go executable into a cache directory, prioritizing it within the workflow's PATH.

"The module executes through init(), detects GITHUB_ENV and GITHUB_PATH, sets HTTP_PROXY and HTTPS_PROXY, writes a fake go executable into a cache directory, and appends that directory to the workflow path so the wrapper is selected before the real binary," — Kirill Boychenko, Socket

Subsequent compiler executions are redirected to the malicious wrapper, which can manipulate the build process without triggering a failure. Additionally, the package inserts a hardcoded SSH key into the ~/.ssh/authorized_keys file, maintaining a remote access channel even after the job concludes. This creates silent persistence in an environment that is typically expected to be destroyed within minutes.

RubyGems and silent exfiltration to attacker-controlled endpoints

Alongside the Go modules, the BufferZoneCorp account published Ruby gems masquerading as legitimate libraries. Upon installation, these packages initiate an aggressive credential harvesting routine, targeting environment variables, SSH keys, AWS secrets, .npmrc and .netrc files, GitHub CLI configurations, and RubyGems credentials. The stolen data is then exfiltrated to an attacker-controlled Webhook.site endpoint.

While the packages have been removed from RubyGems and blocked on the Go registry, users who installed them during the window between publication and removal may have already exposed critical secrets. This operation underscores how a standard bundle install or go get command in a CI runner can be weaponized into a systematic token harvesting operation.

Mini Shai-Hulud and the npm offensive: Compromised SAP packages

A second campaign, dubbed Mini Shai-Hulud, targeted at least four SAP packages published to npm on April 29, 2026: mbt, @cap-js/db-service, @cap-js/postgres, and @cap-js/sqlite. Each package contained a pre-install script designed to steal developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials for AWS, Azure, GCP, and Kubernetes.

Analysis by StepSecurity and Wiz indicates the payload utilizes AES-256-CGM encryption for exfiltration and is capable of performing self-commits on any accessible GitHub repository, facilitating source-level propagation. Although the packages have been deprecated on npm, risk remains for teams that have not cleared local caches and lockfiles. StepSecurity noted that "this is one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector," highlighting a tactical escalation that expands the attack surface from developer machines to intelligent automation tools. The campaign also reportedly reached other registries including PyPI, PHP Packagist, RubyGems, and Go modules, affecting libraries such as PyTorch Lightning and the Intercom client on npm, as reported by Developer Tech.

Why CI pipelines are high-value targets

Continuous integration pipelines are ideal targets due to a combination of three factors: privileged access to build secrets, an ephemeral nature that lowers the alarm threshold, and polyglot complexity that complicates dependency auditing. Unlike a corporate laptop, a CI runner is often instantiated, performs its task, and is destroyed in less than an hour. If a package installs a proxy, an SSH key, or a compiler wrapper during that window, the payload can operate largely undetected.

Both the BufferZoneCorp and Mini Shai-Hulud campaigns exploit this window, though it is not confirmed that the two operations are linked. In both cases, the risk extends beyond credential theft; a compromised CI runner can inject backdoors into downstream software, propagating the attack to end-users without triggering traditional endpoint security alerts.

Mitigation and Response

To mitigate these risks and restore integrity to build chains, DevOps teams and CISOs should prioritize the following actions:

1. Audit Installation Logs: Review CI runner logs from April 29 to May 6, 2026, for the package names identified in the research, including mbt, the @cap-js suite, BufferZoneCorp gems, and associated Go modules.
2. Isolate Secrets: Restrict the exposure of GitHub tokens, cloud keys, and npm credentials during the dependency resolution phase. Utilize protected environments and short-lived OIDC roles to ensure malicious packages cannot access global secrets.
3. Pinning and Integrity Verification: Lock dependency versions in lockfiles and verify Go, Ruby, and npm package hashes against official sources. Monitor cache directories and the PATH on self-hosted runners where wrappers may be hidden.
4. Review AI Configurations: Audit settings for AI coding agents and GitHub Actions for anomalous HTTP/HTTPS proxies, unauthorized keys in ~/.ssh/authorized_keys, and suspicious workflow modifications.

The convergence of these two campaigns on build pipelines signals a tactical shift. CI runners can no longer be treated as transient, low-risk environments; they are critical endpoints. As long as these environments remain under-monitored, the window for attackers remains wide, with impact measured in minutes but consequences lasting much longer.

Frequently Asked Questions

Are BufferZoneCorp and Mini Shai-Hulud the same operation?

This has not been confirmed. Technical reports treat them as distinct campaigns with overlapping techniques but no definitive evidence of shared infrastructure or coordination.

How does a Go module alter GitHub Actions without detection?

It leverages the init() function and GITHUB_ENV/GITHUB_PATH environment variables to modify the workflow's PATH and intercept compiler calls, operating primarily in memory and temporary files.

Are the compromised packages still available?

Packages associated with BufferZoneCorp have been yanked from RubyGems and blocked on Go; the SAP npm packages have been deprecated. However, teams that have already downloaded or cached these packages remain at risk until their environments are remediated.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html
• https://www.scworld.com/brief/new-software-supply-chain-attack-uses-sleeper-packages-for-credential-theft-and-ci-tampering
• https://www.scworld.com/brief/supply-chain-attack-against-sap-npm-packages-facilitates-credential-theft
• https://www.developer-tech.com/news/open-source-registries-mini-shai-hulud-supply-chain-attacks/