Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malicious code in github.com/BufferZoneCorp/config-loader (Go)

The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Unknown; depends on adoption of the malicious package versions
Ecosystems
Attack vectors
Affected entities
  • github.com/BufferZoneCorp/config-loaderGo package containing malicious code

Overview

The Go package github.com/BufferZoneCorp/config-loader has been identified as containing malicious code by Google's open-source security research team. This package is part of a coordinated cluster of malicious packages spanning Go and RubyGems ecosystems.

Malicious Behavior

The package is designed to perform multiple harmful actions on affected systems:

  • Steal credentials from the host environment
  • Establish SSH access for remote persistence
  • Tamper with build and workflow environment variables, potentially compromising CI/CD pipelines

Scope

The malicious package was published on GitHub and indexed in the GitHub Advisory Database (GHSA-vr4x-2cr3-p6p4). The cluster includes related malicious packages in both the Go and RubyGems ecosystems, suggesting a coordinated supply chain attack campaign.

Indicators of compromise

Packages
  • github.com/BufferZoneCorp/config-loader

Remediation

  • Immediately remove or uninstall github.com/BufferZoneCorp/config-loader from all projects and systems
  • Audit all systems that may have executed this package for signs of credential theft or unauthorized SSH access
  • Review and rotate all credentials (API keys, passwords, SSH keys) that may have been exposed
  • Inspect CI/CD pipeline logs and environment variables for signs of tampering
  • Check for unauthorized SSH keys or access on affected systems
  • Update to a safe, verified alternative package for configuration loading
  • Monitor for related malicious packages in the BufferZoneCorp and knot-theory clusters

Sources

  1. GitHub Advisory GHSA-vr4x-2cr3-p6p4 · GitHub Advisory Database

Cite this entry

"Malicious code in github.com/BufferZoneCorp/config-loader (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-config-loader-go-jxsdhb

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activecritical

    Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)

    The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer
  2. activecritical

    Malicious code in github.com/BufferZoneCorp/grpc-client (Go)

    The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.

    GoCompromised packageMalicious maintainer
  3. containedcritical

    Malicious code in github.com/BufferZoneCorp/net-helper (Go)

    The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer
  4. activecritical

    Malicious code in github.com/BufferZoneCorp/go-retryablehttp (Go)

    Malicious code was discovered in the Go package github.com/BufferZoneCorp/go-retryablehttp. The package steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer