Malicious code in github.com/BufferZoneCorp/config-loader (Go)
The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.
- Disclosed
- Last updated
- Blast radius
- Unknown; depends on adoption of the malicious package versions
- Ecosystems
- Attack vectors
- Affected entities
- github.com/BufferZoneCorp/config-loaderGo package containing malicious code
Overview
The Go package github.com/BufferZoneCorp/config-loader has been identified as containing malicious code by Google's open-source security research team. This package is part of a coordinated cluster of malicious packages spanning Go and RubyGems ecosystems.
Malicious Behavior
The package is designed to perform multiple harmful actions on affected systems:
- Steal credentials from the host environment
- Establish SSH access for remote persistence
- Tamper with build and workflow environment variables, potentially compromising CI/CD pipelines
Scope
The malicious package was published on GitHub and indexed in the GitHub Advisory Database (GHSA-vr4x-2cr3-p6p4). The cluster includes related malicious packages in both the Go and RubyGems ecosystems, suggesting a coordinated supply chain attack campaign.
Indicators of compromise
- Packages
- github.com/BufferZoneCorp/config-loader
Remediation
- Immediately remove or uninstall github.com/BufferZoneCorp/config-loader from all projects and systems
- Audit all systems that may have executed this package for signs of credential theft or unauthorized SSH access
- Review and rotate all credentials (API keys, passwords, SSH keys) that may have been exposed
- Inspect CI/CD pipeline logs and environment variables for signs of tampering
- Check for unauthorized SSH keys or access on affected systems
- Update to a safe, verified alternative package for configuration loading
- Monitor for related malicious packages in the BufferZoneCorp and knot-theory clusters
Sources
- GitHub Advisory GHSA-vr4x-2cr3-p6p4 · GitHub Advisory Database
Cite this entry
"Malicious code in github.com/BufferZoneCorp/config-loader (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-config-loader-go-jxsdhb
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)
The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/grpc-client (Go)
The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.
GoCompromised packageMalicious maintainer - containedcritical
Malicious code in github.com/BufferZoneCorp/net-helper (Go)
The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/go-retryablehttp (Go)
Malicious code was discovered in the Go package github.com/BufferZoneCorp/go-retryablehttp. The package steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer