New software supply chain attack uses sleeper packages for credential theft and CI tampering

A new software supply chain attack campaign has been observed utilizing sleeper packages to deliver malicious payloads, enabling credential theft, GitHub Actions tampering, and SSH persistence, according to a recent report by The Hacker News.The campaign, attributed to the GitHub account “BufferZoneCorp,” involved malicious Ruby gems and Go modules disguised as legitimate libraries. The Ruby gems were designed to steal credentials, including environment variables, SSH keys, and various configuration secrets, exfiltrating the data to an attacker-controlled endpoint. The Go modules offered broader capabilities, such as tampering with GitHub Actions workflows, planting fake Go wrappers to intercept commands, and establishing SSH persistence by adding a public key to the authorized keys file. These modules would execute through their init functions, manipulate environment variables like HTTP_PROXY, and place a fake Go executable in a cache directory, ensuring it was prioritized over the legitimate binary. This allowed attackers to influence or intercept subsequent Go executions without breaking the build process.Developers who may have installed these packages are advised to remove them, review systems for unauthorized access or changes, rotate compromised credentials, and inspect network logs for suspicious outbound traffic.Source:The Hacker News