Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

A supply chain attack campaign uses malicious Ruby gems and Go modules to steal credentials and compromise CI/build environments.

• •Ruby gems from BufferZoneCorp harvest environment variables, SSH keys, AWS secrets, and credentials during installation
• •Go modules intercept GitHub Actions workflows using fake Go wrappers and add SSH public keys for persistent remote access
• •Stolen credentials and data are exfiltrated to attacker-controlled Webhook.site endpoints
• •Malicious packages masquerade as legitimate libraries like activesupport-logger, devise-jwt, and go-retryablehttp to evade detection
• •Affected users must remove packages, rotate credentials, check SSH access logs, and monitor for suspicious outbound HTTPS traffic