Malicious Ruby Gems and Go Modules Impersonate Developer Too...

A GitHub account named BufferZoneCorp published a cluster of malicious Ruby gems and Go modules disguised as legitimate developer tools. The packages used a sleeper strategy — initially appearing benign before being updated with active payloads. On the Ruby side, gems harvest credentials from environment variables and local files (SSH keys, AWS credentials, .npmrc, GitHub CLI config) and exfiltrate them to a hidden endpoint. On the Go side, modules use init() for automatic execution, tamper with GitHub Actions environments by poisoning GOPROXY, disabling checksum verification, planting fake go wrappers in execution paths, and in one case appending a hardcoded SSH public key to establish persistence. The Go Security team blocked the identified modules; the Ruby gems and GitHub account remained live at time of writing. Developers should remove all BufferZoneCorp packages, rotate exposed credentials, audit CI workflow environments for unauthorized changes, and inspect authorized_keys files for the deploy@buildserver marker.