Malicious code in github.com/BufferZoneCorp/grpc-client (Go)
The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.
- Disclosed
- Last updated
- Blast radius
- Unknown; depends on adoption of the malicious package versions
- Ecosystems
- Attack vectors
- Affected entities
- github.com/BufferZoneCorp/grpc-clientGo package containing malicious code
GitHub Security Advisory GHSA-824x-m5vm-rhhx identifies malicious code in the Go package github.com/BufferZoneCorp/grpc-client. The package is flagged as part of a coordinated cluster of malicious packages affecting both Go and RubyGems ecosystems under the BufferZoneCorp and knot-theory naming schemes.
The malicious payload performs credential theft, establishes unauthorized SSH access, and modifies build and workflow environment variables. This suggests the attack is designed to persist across CI/CD pipelines and enable further compromise of downstream systems.
The package appears to be actively distributed via the Go module registry. Users who have imported this package into their projects are at immediate risk of credential exposure and supply chain compromise.
Indicators of compromise
- Packages
- github.com/BufferZoneCorp/grpc-client
Remediation
- Immediately audit all projects for dependencies on github.com/BufferZoneCorp/grpc-client and remove the package
- Rotate all credentials (API keys, SSH keys, tokens) that may have been exposed on systems where this package was installed or built
- Review CI/CD logs and environment variable history for signs of tampering or exfiltration
- Scan build artifacts and deployment systems for unauthorized SSH keys or backdoors
- Monitor for suspicious network connections or SSH access attempts from affected systems
- Update dependency management tools to block or alert on this package
Sources
- GitHub Advisory GHSA-824x-m5vm-rhhx · GitHub Advisory Database
Cite this entry
"Malicious code in github.com/BufferZoneCorp/grpc-client (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-grpc-client-go-1biu2c
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Malicious code in github.com/BufferZoneCorp/config-loader (Go)
The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)
The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer - containedcritical
Malicious code in github.com/BufferZoneCorp/net-helper (Go)
The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/go-retryablehttp (Go)
Malicious code was discovered in the Go package github.com/BufferZoneCorp/go-retryablehttp. The package steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer