TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

[email protected] (The Hacker News) · 5 days ago · Read original ↗

ATT&CK techniques detected

4 predictions
T1195.001Compromise Software Dependencies and Development Tools
98%
“poisoned ruby gems and go modules exploit ci pipelines for credential theft a new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, github actions tampering, and ssh p…”
T1195.001Compromise Software Dependencies and Development Tools
97%
“. " the account is part of a software supply chain campaign targeting developers, ci runners, and build environments across two ecosystems, " socket security researcher kirill boychenko said in an analysis published today. the ruby gems are designed to automate credential theft d…”
T1195.001Compromise Software Dependencies and Development Tools
74%
“metrics - sdk - github [. ] com / bufferzonecorp / go - weather - sdk - github [. ] com / bufferzonecorp / go - retryablehttp - github [. ] com / bufferzonecorp / go - stdlib - ext - github [. ] com / bufferzonecorp / grpc - client - github [. ] com / bufferzonecorp / net - helpe…”
T1677Poisoned Pipeline Execution
32%
“. " the account is part of a software supply chain campaign targeting developers, ci runners, and build environments across two ecosystems, " socket security researcher kirill boychenko said in an analysis published today. the ruby gems are designed to automate credential theft d…”

Summary

A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account "BufferZoneCorp," which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of