Malicious code in github.com/BufferZoneCorp/go-envconfig (Go)
The Go package github.com/BufferZoneCorp/go-envconfig contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.
- Disclosed
- Last updated
- Blast radius
- Unknown; depends on adoption of the malicious package versions
- Ecosystems
- Attack vectors
- Affected entities
- github.com/BufferZoneCorp/go-envconfig
A malicious Go package, github.com/BufferZoneCorp/go-envconfig, has been identified as part of a coordinated attack cluster spanning Go and RubyGems ecosystems. The package is hosted on GitHub under the BufferZoneCorp organization.
The malicious code performs multiple harmful actions: credential theft, SSH access setup, and tampering with build and workflow environment variables. These capabilities suggest the attack is designed to establish persistent access and exfiltrate sensitive information from affected systems.
This package is part of a larger cluster of malicious packages identified by Google's open-source security research. The coordinated nature of the attack across multiple ecosystems indicates a sophisticated threat actor.
Immediate action is required to identify and remove this package from any systems where it may have been installed.
Indicators of compromise
- Packages
- github.com/BufferZoneCorp/go-envconfig
Remediation
- Immediately audit all Go module dependencies for the presence of github.com/BufferZoneCorp/go-envconfig
- Remove the malicious package from all affected systems and projects
- Rotate all credentials and SSH keys that may have been exposed
- Review build and workflow environment variables for unauthorized modifications
- Scan systems for unauthorized SSH access or persistence mechanisms
- Monitor for signs of credential exfiltration or unauthorized access
- Update go.mod and go.sum files to remove the dependency
- Consider using dependency scanning tools to detect similar malicious packages
Sources
- GitHub Advisory GHSA-347c-j94p-m438 · GitHub Advisory Database
Cite this entry
"Malicious code in github.com/BufferZoneCorp/go-envconfig (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-go-envconfig-go-ist1th
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Malicious code in github.com/BufferZoneCorp/config-loader (Go)
The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)
The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/grpc-client (Go)
The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.
GoCompromised packageMalicious maintainer - containedcritical
Malicious code in github.com/BufferZoneCorp/net-helper (Go)
The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer