New software supply chain attack campaigns have been observed using sleeper packages as a vector to then push malicious payloads that enable credential theft, GitHub Actions modification, and SSH persistence.
This activity is believed to be the work of the GitHub account ‘BufferZoneCorp’, which published a set of repositories related to malicious Ruby gems and Go modules. As of this writing, the package has been removed from RubyGems and the Go module is blocked. The names of the libraries are listed below –
Ruby: knot-activesupport-logger knot-devise-jwt-helper knot-rack-session-store knot-rails-assets-pipeline knot-rspec-formatter-json knot-date-utils-rb (Sleeper gem) knot-simple-formatter (Sleeper gem) Go: github[.]com/BufferZoneCorp/go-metrics-sdk github[.]com/BufferZoneCorp/go-weather-sdk github[.]com/BufferZoneCorp/go-retryablehttp github[.]com/BufferZoneCorp/go-stdlib-ext github[.]com/BufferZoneCorp/grpc-client github[.]com/BufferZoneCorp/net-helper github[.]com/BufferZoneCorp/config-loader github[.]com/BufferZoneCorp/log-core (sleeper module) github[.]com/BufferZoneCorp/go-envconfig (sleeper module)
The identified packages disguise themselves as recognizable and well-known modules such as activesupport-logger, device-jwt, go-retryablehttp, grpc-client, and config-loader to evade detection and trick users into downloading them.
“This account is part of a software supply chain campaign targeting developers, CI runners, and the built environment across two ecosystems,” said socket security researcher Kirill Boychenko in an analysis published today.
Ruby gems are designed to automate credential theft during installation, collection of environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. The stolen data is exposed to an attacker-controlled webhook.[.]Site endpoint.
The Go module, on the other hand, has broader functionality, including modifying GitHub Actions workflows, installing fake Go wrappers, stealing developer data, and adding hardcoded SSH public keys to “~/.ssh/authorized_keys” for remote access to compromised hosts. Not all modules have the same payload. Instead, it is distributed across the cluster.
“The module runs through init(), finds GITHUB_ENV and GITHUB_PATH, sets HTTP_PROXY and HTTPS_PROXY, writes a fake go executable to the cache directory, and adds that directory to the workflow path so that the wrapper is selected before the real binary,” Boychenko explained.
“This wrapper can intercept or influence subsequent execution while passing control to the legitimate binary to avoid job interruption.”
Users who installed the package are advised to remove the package from their systems, check for signs of access to sensitive files or unauthorized changes to ‘~/.ssh/authorized_keys’, rotate exposed credentials, and inspect network logs for outbound HTTPS traffic to extraction points.
Source link
