Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malicious code in github.com/BufferZoneCorp/log-core (Go)

The Go package github.com/BufferZoneCorp/log-core was identified as malicious, part of a cluster that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. The package was flagged by Google's open-source security research.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Unknown; depends on adoption of the malicious package versions
Ecosystems
Attack vectors
Affected entities
  • github.com/BufferZoneCorp/log-coreGo package containing malicious code

Overview

The Go package github.com/BufferZoneCorp/log-core has been identified as containing malicious code. According to Google's open-source security research, this package is part of a coordinated cluster of malicious packages spanning Go and RubyGems ecosystems.

Malicious Behavior

The package is designed to:

  • Steal credentials from affected systems
  • Establish SSH access for persistence
  • Tamper with build and workflow environment variables

Scope

This package was part of a broader attack cluster involving multiple ecosystems (Go and RubyGems), suggesting a coordinated supply chain attack campaign. The exact versions and timeline of malicious releases are not detailed in the source material.

Indicators of compromise

Packages
  • github.com/BufferZoneCorp/log-core

Remediation

  • Immediately audit systems for use of github.com/BufferZoneCorp/log-core
  • Remove all versions of the package from affected projects
  • Rotate all credentials that may have been exposed
  • Review SSH access logs and revoke any unauthorized keys
  • Inspect build and workflow environment variables for tampering
  • Scan systems for indicators of compromise related to this package
  • Review git history and CI/CD logs for suspicious activity

Sources

  1. GitHub Advisory GHSA-p5wx-rrp4-r4w9 · GitHub Advisory Database

Cite this entry

"Malicious code in github.com/BufferZoneCorp/log-core (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-log-core-go-1syu1w

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Injective SDK on npm infected with cryptocurrency wallet stealer

    Hackers compromised the Injective Labs SDK GitHub repository and published a malicious npm package that stole cryptocurrency wallet private keys and mnemonic seed phrases from users who installed it.

    npmCompromised packageMalicious commit
  2. activehigh

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering ChocoPoC, a Python-based remote access trojan (RAT) capable of executing commands and stealing sensitive data. The campaign is believed to target cybersecurity researchers.

    OtherMalicious commitCompromised package
  3. activecritical

    Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp

    A self-replicating worm named Miasma is spreading across the npm registry by injecting malicious code into binding.gyp files, which execute during npm install without requiring package.json script modifications. The attack has already compromised dozens of packages across multiple maintainer accounts and evades conventional security detection.

    MiasmanpmCompromised packageMalicious commit
  4. activehigh

    Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware

    A supply chain campaign dubbed "Mini Shai Hulud" targeted SAP npm packages with malicious versions containing credential-stealing malware. The campaign follows patterns similar to previous Shai-Hulud attacks.

    Mini Shai HuludShai-HuludnpmCompromised packageMalicious commit