A fresh wave of software supply chain attacks has been detected, utilizing sleeper packages to deploy harmful payloads that facilitate credential theft and tampering with GitHub Actions, ultimately establishing SSH persistence. The GitHub user ‘BufferZoneCorp’ has been identified as the source of these attacks, releasing repositories linked to compromised Ruby gems and Go modules. While these malicious packages have been removed from RubyGems and blocked in Go module repositories, their impact remains significant.
Identified Malicious Packages
The deceptive packages mimic legitimate modules to avoid detection. Ruby gems involved include ‘knot-activesupport-logger’ and ‘knot-simple-formatter,’ among others. Similarly, Go modules such as ‘go-metrics-sdk’ and ‘log-core’ were used to deceive users. These packages posed as trusted libraries like ‘activesupport-logger’ and ‘grpc-client’ to trick developers into downloading them.
Impact on Developers and CI Environments
The attack targets developers and continuous integration (CI) environments across multiple platforms. Ruby gems were engineered to steal sensitive information during installation, targeting environment variables and critical credentials such as SSH keys and AWS secrets. Stolen data was sent to an attacker-controlled endpoint for exploitation.
In contrast, the Go modules possessed more extensive abilities, including tampering with GitHub Actions workflows and inserting unauthorized SSH keys for remote access. These modules executed through the ‘init()’ function, manipulating environment variables and injecting fake Go executables to influence workflow execution without detection.
Recommendations for Affected Users
Users who have inadvertently installed these packages should take immediate action. It is essential to remove the compromised packages, check for unauthorized access to sensitive files, rotate any exposed credentials, and scrutinize network activity for suspicious outbound traffic. Keeping systems secure involves vigilance and prompt response to such threats.
As these attacks highlight vulnerabilities in software supply chain security, it is crucial for developers and organizations to maintain robust security practices, ensuring the integrity of their software environments.
