Skip to content
supplychainattack.orgSupply chain attack incident catalog
activecritical

Malicious code in github.com/BufferZoneCorp/go-metrics-sdk (Go)

The Go package github.com/BufferZoneCorp/go-metrics-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Unknown; depends on adoption of the malicious package versions
Ecosystems
Attack vectors
Affected entities
  • github.com/BufferZoneCorp/go-metrics-sdk

A malicious Go package, github.com/BufferZoneCorp/go-metrics-sdk, has been identified as part of a coordinated attack cluster spanning Go and RubyGems ecosystems. The package is hosted on GitHub under the BufferZoneCorp organization.\n\nThe malicious code performs multiple harmful actions: it steals credentials from affected systems, establishes unauthorized SSH access, and modifies build and workflow environment variables. This enables attackers to maintain persistence and potentially compromise downstream projects that depend on this package.\n\nThe package is part of a larger cluster of malicious packages identified by Google's open-source security research, indicating a coordinated supply chain attack campaign. The advisory was published on 2026-07-13 via GitHub's security advisory system (GHSA-fx4m-hpgq-2vcm).

Indicators of compromise

Packages
  • github.com/BufferZoneCorp/go-metrics-sdk

Remediation

  • Immediately remove or uninstall github.com/BufferZoneCorp/go-metrics-sdk from all projects and environments
  • Audit all systems that may have executed code from this package for signs of credential theft or unauthorized SSH access
  • Rotate all credentials (API keys, passwords, SSH keys) that may have been exposed
  • Review build and workflow environment variables for unauthorized modifications
  • Check git history and CI/CD logs for suspicious activity
  • Consider this a critical supply chain incident and notify all downstream consumers of affected projects
  • Use only verified, trusted versions of metrics SDKs from official sources

Sources

  1. GitHub Advisory GHSA-fx4m-hpgq-2vcm · GitHub Advisory Database

Cite this entry

"Malicious code in github.com/BufferZoneCorp/go-metrics-sdk (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-go-metrics-sdk-go-3azbji

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malicious code in github.com/BufferZoneCorp/config-loader (Go)

    The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.

    GoCompromised packageMalicious maintainer
  2. activecritical

    Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)

    The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer
  3. activecritical

    Malicious code in github.com/BufferZoneCorp/grpc-client (Go)

    The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.

    GoCompromised packageMalicious maintainer
  4. containedcritical

    Malicious code in github.com/BufferZoneCorp/net-helper (Go)

    The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer