Malicious code in github.com/BufferZoneCorp/go-retryablehttp (Go)
Malicious code was discovered in the Go package github.com/BufferZoneCorp/go-retryablehttp. The package steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
- Disclosed
- Last updated
- Blast radius
- Unknown; depends on adoption of the malicious package versions
- Ecosystems
- Attack vectors
- Affected entities
- github.com/BufferZoneCorp/go-retryablehttp
A malicious package named github.com/BufferZoneCorp/go-retryablehttp was identified in the Go ecosystem. The package contains code designed to steal credentials, set up unauthorized SSH access, and modify build and workflow environment variables on affected systems.
This package is part of a coordinated cluster of malicious packages spanning both Go and RubyGems ecosystems, identified as the BufferZoneCorp and knot-theory clusters. The malicious behavior suggests a supply chain attack targeting developers and CI/CD environments.
The advisory was published on 2026-07-13 and assigned GitHub Security Advisory identifier GHSA-mq34-crwj-48xv. The source severity is rated as critical due to the nature of the compromise and potential for widespread impact.
Indicators of compromise
- Packages
- github.com/BufferZoneCorp/go-retryablehttp
Remediation
- Immediately audit all systems and projects that have imported github.com/BufferZoneCorp/go-retryablehttp
- Remove the malicious package from all dependencies and lock files
- Rotate all credentials and SSH keys that may have been exposed
- Review build and workflow environment variables for unauthorized modifications
- Scan CI/CD logs for evidence of credential theft or unauthorized access
- Use a legitimate HTTP retry library as a replacement (e.g., github.com/hashicorp/go-retryablehttp)
- Implement package verification and integrity checks in your supply chain
Sources
- GitHub Advisory GHSA-mq34-crwj-48xv · GitHub Advisory Database
Cite this entry
"Malicious code in github.com/BufferZoneCorp/go-retryablehttp (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-go-retryablehttp-go-1dag7f
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Malicious code in github.com/BufferZoneCorp/config-loader (Go)
The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)
The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/grpc-client (Go)
The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.
GoCompromised packageMalicious maintainer - containedcritical
Malicious code in github.com/BufferZoneCorp/net-helper (Go)
The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer