Poisoned Ruby Gems and Go Modules Used to Steal CI Secrets

by Emma Davis
May 1, 2026

A BufferZoneCorp package cluster in RubyGems and Go targeted developer machines and CI pipelines, stealing secrets, tampering with GitHub Actions, and planting SSH persistence.

A cross-ecosystem supply-chain campaign tied to the GitHub account BufferZoneCorp used malicious Ruby gems and Go modules to steal developer secrets, tamper with GitHub Actions workflows, and plant SSH persistence on compromised systems.

Satirical cartoon showing poisoned Ruby gems and Go modules stealing CI secrets
The new dependencies looked friendly right up to the moment they emptied the key cabinet and “helped” the build robot.

According to Socket research published on May 1, 2026, some of the Ruby packages were built to harvest environment variables, SSH keys, AWS credentials, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials during install time. The stolen data was then sent to an attacker-controlled endpoint. On the Go side, the activity went further by altering GitHub Actions workflows, planting fake Go wrappers, and adding a hard-coded public key to ~/.ssh/authorized_keys for persistent access.[1]

The campaign mattered because it crossed two ecosystems at once and blended install-time credential theft with CI tampering. Instead of burying the details in a long list, the core pattern is easier to read side by side:

Ecosystem Examples Observed behavior
RubyGems knot-activesupport-logger
knot-devise-jwt-helper
knot-date-utils-rb		 Harvested environment variables, SSH keys, AWS secrets, and local credential files during install.[1]
Go modules github.com/BufferZoneCorp/go-envconfig
github.com/BufferZoneCorp/log-core
github.com/BufferZoneCorp/go-metrics-sdk		 Tampered with GitHub Actions workflows, planted fake Go wrappers, and added an SSH key for persistence.[1][2]

What developers and DevOps teams should check

If any of these packages touched a workstation, build runner, or CI image, treat it like a credential exposure event rather than a simple dependency cleanup. Review outbound connections, inspect ~/.ssh/authorized_keys for unexpected keys, check GitHub Actions workflows for unauthorized edits, and rotate secrets that may have been present in environment variables or config files.

The bigger lesson is that dependency trust failures are increasingly becoming CI incidents, not just developer laptop incidents. That is the same pattern we saw in the recent Gemini CLI CI/CD risk story: once a build environment trusts the wrong package or tool, the blast radius can extend into tokens, pipelines, and downstream releases.

There is no CVE attached to this campaign, but the practical impact is still significant because the malicious behavior was designed to run inside normal developer workflows. Teams that rely on third-party packages in Ruby or Go pipelines should review dependency provenance, pin versions where possible, and watch for install-time behavior that reaches outside the build itself.[3]

References

  1. Kirill Boychenko, “Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI”, Socket, published May 1, 2026.
  2. Ravie Lakshmanan, “Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft”, The Hacker News, published May 1, 2026.
  3. RubyGems package record for knot-date-utils-rb and Go package record for github.com/BufferZoneCorp/go-envconfig, accessed May 1, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment