Skip to content
supplychainattack.orgSupply chain attack incident catalog
activecritical

Malicious code in github.com/BufferZoneCorp/go-stdlib-ext (Go)

The Go package github.com/BufferZoneCorp/go-stdlib-ext contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Unknown; depends on adoption of the malicious package
Ecosystems
Attack vectors
Affected entities
  • github.com/BufferZoneCorp/go-stdlib-ext

The Go package github.com/BufferZoneCorp/go-stdlib-ext has been identified as containing malicious code by Google's open-source security research. The package is part of a coordinated cluster of malicious packages spanning both Go and RubyGems ecosystems under the BufferZoneCorp and knot-theory identifiers.

The malicious payload performs credential theft, establishes unauthorized SSH access to affected systems, and modifies build and workflow environment variables. This allows attackers to maintain persistence and potentially compromise downstream build processes and CI/CD pipelines.

The package was published on GitHub and indexed in the Go module ecosystem, making it discoverable and installable by developers. The advisory was published on 2026-07-13 via GitHub's security advisory system (GHSA-r7vj-3mvq-97h2).

Indicators of compromise

Packages
  • github.com/BufferZoneCorp/go-stdlib-ext

Remediation

  • Immediately audit all projects for dependencies on github.com/BufferZoneCorp/go-stdlib-ext and remove the package
  • Rotate all credentials and SSH keys on systems where this package may have been installed or executed
  • Review build logs and CI/CD pipeline execution history for signs of tampering or unauthorized access
  • Scan systems for unauthorized SSH keys or backdoors
  • Check environment variables in build systems for unexpected modifications
  • Update go.mod and go.sum files to remove the malicious dependency
  • Consider running security audits on downstream artifacts built with this package

Sources

  1. GitHub Advisory GHSA-r7vj-3mvq-97h2 · GitHub Advisory Database

Cite this entry

"Malicious code in github.com/BufferZoneCorp/go-stdlib-ext (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-go-stdlib-ext-go-zh2jdf

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malicious code in github.com/BufferZoneCorp/config-loader (Go)

    The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.

    GoCompromised packageMalicious maintainer
  2. activecritical

    Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)

    The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer
  3. activecritical

    Malicious code in github.com/BufferZoneCorp/grpc-client (Go)

    The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.

    GoCompromised packageMalicious maintainer
  4. containedcritical

    Malicious code in github.com/BufferZoneCorp/net-helper (Go)

    The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer