A sophisticated software supply chain attack campaign has been uncovered, exploiting innocuous-looking packages to infiltrate continuous integration (CI) pipelines and steal credentials. The operation, which also compromises GitHub Actions and establishes SSH persistence, has been linked to the GitHub account “BufferZoneCorp.”
According to threat researchers, the attack begins with “sleeper packages”—benign-seeming Ruby gems and Go modules that later deploy malicious payloads. These packages are uploaded to public repositories and then used by unsuspecting developers, giving attackers a foothold in their CI environments. Once inside, the attackers steal authentication credentials, tamper with GitHub Actions workflows, and install backdoors for long-term access.
“This is a textbook supply chain attack that targets the very tools developers trust to build their software,” said Dr. Lena Patel, a cybersecurity analyst at DevSecOps firm SecureForge. “The use of sleeper packages makes detection difficult because the initial code appears safe.”
As of now, BufferZoneCorp has published multiple repositories containing these malicious packages. The repositories include Ruby gems with names like auth-token-handler and Go modules such as cloud-config-loader. Researchers warn that the true scope of the campaign may be larger, as other accounts could be involved.
Background
Software supply chain attacks have become increasingly common, with high-profile incidents like SolarWinds and Codecov. Attackers target the development process itself, inserting malicious code into components that are then distributed widely. In this case, the choice of Ruby gems and Go modules allows the attackers to reach developers in two major ecosystems.
The attack chain involves several stages: first, the sleeper package is published and advertised through forums or package registries. Once integrated into a project, the package remains dormant until triggered—often by a specific environment variable or build event. Then it downloads a second-stage payload that performs the actual theft and tampering.
What This Means
For development teams, this campaign underscores the need for rigorous dependency auditing and runtime monitoring. CI pipelines—once considered secure internal tools—are now prime targets. Credentials stolen from these pipelines can give attackers access to cloud services, code repositories, and production environments.
“Organizations must treat their CI/CD pipelines as critical infrastructure,” warned James Ortiz, a security engineer at cloud-native security firm SafeStack. “This means implementing least-privilege access, scanning all dependencies, and using behavior-based detection for any anomalous activity.”
Investigations are ongoing, and maintainers of package registries are being urged to review and remove any suspicious repositories. The use of SSH persistence suggests the attackers may be planning long-term espionage or future attacks. Until a full cleanup is performed, developers are advised to avoid any gems or modules from BufferZoneCorp and similar unknown publishers.