Malicious code in github.com/BufferZoneCorp/log-core (Go)
The Go package github.com/BufferZoneCorp/log-core was identified as malicious, part of a cluster that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. The package was flagged by Google's open-source security research.
- Disclosed
- Last updated
- Blast radius
- Unknown; depends on adoption of the malicious package versions
- Ecosystems
- Attack vectors
- Affected entities
- github.com/BufferZoneCorp/log-coreGo package containing malicious code
Overview
The Go package github.com/BufferZoneCorp/log-core has been identified as containing malicious code. According to Google's open-source security research, this package is part of a coordinated cluster of malicious packages spanning Go and RubyGems ecosystems.
Malicious Behavior
The package is designed to:
- Steal credentials from affected systems
- Establish SSH access for persistence
- Tamper with build and workflow environment variables
Scope
This package was part of a broader attack cluster involving multiple ecosystems (Go and RubyGems), suggesting a coordinated supply chain attack campaign. The exact versions and timeline of malicious releases are not detailed in the source material.
Indicators of compromise
- Packages
- github.com/BufferZoneCorp/log-core
Remediation
- Immediately audit systems for use of github.com/BufferZoneCorp/log-core
- Remove all versions of the package from affected projects
- Rotate all credentials that may have been exposed
- Review SSH access logs and revoke any unauthorized keys
- Inspect build and workflow environment variables for tampering
- Scan systems for indicators of compromise related to this package
- Review git history and CI/CD logs for suspicious activity
Sources
- GitHub Advisory GHSA-p5wx-rrp4-r4w9 · GitHub Advisory Database
Cite this entry
"Malicious code in github.com/BufferZoneCorp/log-core (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-log-core-go-1syu1w
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Injective SDK on npm infected with cryptocurrency wallet stealer
Hackers compromised the Injective Labs SDK GitHub repository and published a malicious npm package that stole cryptocurrency wallet private keys and mnemonic seed phrases from users who installed it.
npmCompromised packageMalicious commit - activehigh
New ChocoPoC malware targets researchers via trojanized PoC exploits
Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering ChocoPoC, a Python-based remote access trojan (RAT) capable of executing commands and stealing sensitive data. The campaign is believed to target cybersecurity researchers.
OtherMalicious commitCompromised package - activecritical
Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp
A self-replicating worm named Miasma is spreading across the npm registry by injecting malicious code into binding.gyp files, which execute during npm install without requiring package.json script modifications. The attack has already compromised dozens of packages across multiple maintainer accounts and evades conventional security detection.
MiasmanpmCompromised packageMalicious commit - activehigh
Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
A supply chain campaign dubbed "Mini Shai Hulud" targeted SAP npm packages with malicious versions containing credential-stealing malware. The campaign follows patterns similar to previous Shai-Hulud attacks.
Mini Shai HuludShai-HuludnpmCompromised packageMalicious commit