Malicious code in github.com/BufferZoneCorp/net-helper (Go)
The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.
- Disclosed
- Last updated
- Blast radius
- Developers and CI/CD systems using github.com/BufferZoneCorp/net-helper
- Ecosystems
- Attack vectors
- Affected entities
- github.com/BufferZoneCorp/net-helperGo package containing malicious code
The Go package github.com/BufferZoneCorp/net-helper has been identified as containing malicious code by Google's open-source security research. The package is part of a coordinated cluster of malicious packages spanning both Go and RubyGems ecosystems, including the knot-theory cluster.
The malicious functionality includes credential theft, unauthorized SSH access setup, and tampering with build and workflow environment variables. This represents a significant supply chain risk for any developer or CI/CD system that has incorporated this package as a dependency.
The advisory was published on 2026-07-13 and is tracked under GitHub Security Advisory GHSA-pcfq-rfm3-rj37. The package should be immediately removed from any affected projects and dependencies audited for compromise.
Indicators of compromise
- Packages
- github.com/BufferZoneCorp/net-helper
Remediation
- Immediately remove github.com/BufferZoneCorp/net-helper from all projects and dependency manifests
- Audit all systems that may have executed code from this package for credential theft and unauthorized SSH keys
- Review build and workflow environment variables for tampering or unauthorized modifications
- Rotate all credentials that may have been exposed to systems running this package
- Scan CI/CD logs for suspicious activity during periods when this package was in use
- Update to a clean version of any legitimate replacement package if available
Sources
- GitHub Advisory GHSA-pcfq-rfm3-rj37 · GitHub Advisory Database
Cite this entry
"Malicious code in github.com/BufferZoneCorp/net-helper (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-net-helper-go-1dau7v
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Malicious code in github.com/BufferZoneCorp/config-loader (Go)
The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)
The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/grpc-client (Go)
The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.
GoCompromised packageMalicious maintainer - activecritical
Malicious code in github.com/BufferZoneCorp/go-retryablehttp (Go)
Malicious code was discovered in the Go package github.com/BufferZoneCorp/go-retryablehttp. The package steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.
GoCompromised packageMalicious maintainer