Sleeper Packages in Supply Chain Attack Target GitHub Actions and Credential Theft

Severity: High (Score: 69.0)

Sources: Gbhackers, Scworld

Summary

A new software supply chain attack has been identified, attributed to the GitHub account 'BufferZoneCorp.' This campaign utilizes sleeper packages, specifically malicious Ruby gems and Go modules, to compromise developers and continuous integration environments. The Ruby gems are designed to steal sensitive credentials, including SSH keys and environment variables, while the Go modules can tamper with GitHub Actions workflows and establish SSH persistence. Attackers manipulate environment variables and execute malicious code through init functions, allowing them to intercept commands without disrupting the build process. Developers are urged to remove these packages, check for unauthorized access, rotate compromised credentials, and monitor network logs for suspicious activity. The attack highlights significant risks to software supply chains and developer tools. Immediate action is recommended to mitigate potential damage. Key Points: • Malicious Ruby gems and Go modules are used to steal credentials and tamper with CI processes. • Attackers impersonate legitimate developer tools, making detection challenging. • Developers must take immediate action to secure their systems and credentials.

Key Entities

• Supply Chain Attack (attack_type)
• T1036 - Masquerading (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1098 - Account Manipulation (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• GitHub Actions (tool)