BufferZoneCorp — Poisoned Ruby Gems & Go Modules Target CI Pipelines
AI relevance: CI/CD pipelines are the backbone of AI/ML model training, deployment, and agent tooling — compromised runners can steal model API keys, poison ML build artifacts, and tamper with agent infrastructure, and this campaign's payloads explicitly impersonate Anthropic's Claude Code to evade scrutiny.
Socket Security researcher Kirill Boychenko published analysis on May 1, 2026 of a cross-ecosystem supply chain campaign attributed to a GitHub account called "BufferZoneCorp," which published malicious Ruby gems and Go modules designed as sleeper packages that steal credentials and compromise build environments.
What was found
- Ruby gems (RubyGems): Seven packages published under the "knot-" prefix, including two sleeper gems (
knot-date-utils-rb,knot-simple-formatter) that masquerade as common utilities. All gems harvest environment variables, SSH keys, AWS secrets,.npmrc,.netrc, GitHub CLI config, and RubyGems credentials at install time, exfiltrating to a Webhook.site endpoint. - Go modules: Eight modules under
github.com/BufferZoneCorp/, including two sleepers (log-core,go-envconfig). These go further — they tamper with GitHub Actions workflows by detectingGITHUB_ENVandGITHUB_PATH, writing a fake Go executable into a cache directory, and prepending it to the workflow PATH so it intercepts futuregoexecutions while passing control to the real binary to avoid detection. - SSH persistence: Go modules append a hard-coded SSH public key to
~/.ssh/authorized_keysfor persistent remote access. - Claude Code impersonation: Every poisoned commit is authored using a hardcoded identity designed to impersonate Anthropic's Claude Code, an upsert operation that creates or overwrites files across up to 50 branches per compromised token.
Why it matters
This campaign demonstrates two evolving techniques that directly threaten AI/ML operations: first, the use of sleeper packages that appear benign until triggered, making them harder to detect through standard supply chain scanning. Second, the CI pipeline poisoning via Go module PATH manipulation allows attackers to intercept and modify build outputs — in an AI context, this means tampering with model weights, training scripts, or agent configuration without breaking the pipeline. The Claude Code impersonation is particularly notable, as it exploits trust in AI coding assistants to mask malicious commits.
What to do
- Remove any installed packages from the BufferZoneCorp GitHub account or "knot-" prefixed Ruby gems listed above.
- Review CI/CD runners for unauthorized SSH keys in
~/.ssh/authorized_keysand suspicious workflow modifications. - Check repository branches for commits authored with Claude Code impersonation identities.
- Rotate any credentials that may have been exposed through environment variables or config files on affected systems.
- Pin dependency versions and use lockfiles to prevent silent installation of new malicious package versions.