Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malicious code in github.com/BufferZoneCorp/net-helper (Go)

The Go package github.com/BufferZoneCorp/net-helper contains malicious code that steals credentials, establishes SSH access, and tampers with build/workflow environment variables. This package is part of a broader malicious cluster affecting both Go and RubyGems ecosystems.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Developers and CI/CD systems using github.com/BufferZoneCorp/net-helper
Ecosystems
Attack vectors
Affected entities
  • github.com/BufferZoneCorp/net-helperGo package containing malicious code

The Go package github.com/BufferZoneCorp/net-helper has been identified as containing malicious code by Google's open-source security research. The package is part of a coordinated cluster of malicious packages spanning both Go and RubyGems ecosystems, including the knot-theory cluster.

The malicious functionality includes credential theft, unauthorized SSH access setup, and tampering with build and workflow environment variables. This represents a significant supply chain risk for any developer or CI/CD system that has incorporated this package as a dependency.

The advisory was published on 2026-07-13 and is tracked under GitHub Security Advisory GHSA-pcfq-rfm3-rj37. The package should be immediately removed from any affected projects and dependencies audited for compromise.

Indicators of compromise

Packages
  • github.com/BufferZoneCorp/net-helper

Remediation

  • Immediately remove github.com/BufferZoneCorp/net-helper from all projects and dependency manifests
  • Audit all systems that may have executed code from this package for credential theft and unauthorized SSH keys
  • Review build and workflow environment variables for tampering or unauthorized modifications
  • Rotate all credentials that may have been exposed to systems running this package
  • Scan CI/CD logs for suspicious activity during periods when this package was in use
  • Update to a clean version of any legitimate replacement package if available

Sources

  1. GitHub Advisory GHSA-pcfq-rfm3-rj37 · GitHub Advisory Database

Cite this entry

"Malicious code in github.com/BufferZoneCorp/net-helper (Go)." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 13, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malicious-code-in-github-com-bufferzonecorp-net-helper-go-1dau7v

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malicious code in github.com/BufferZoneCorp/config-loader (Go)

    The Go package github.com/BufferZoneCorp/config-loader was identified as malicious, part of a cluster of packages designed to steal credentials, establish SSH access, and tamper with build and workflow environment variables. The package was flagged by Google's open-source security research.

    GoCompromised packageMalicious maintainer
  2. activecritical

    Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)

    The Go package github.com/BufferZoneCorp/go-weather-sdk contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer
  3. activecritical

    Malicious code in github.com/BufferZoneCorp/grpc-client (Go)

    The Go package github.com/BufferZoneCorp/grpc-client contains malicious code that steals credentials, establishes SSH access, and tampers with build and workflow environment variables. The package is part of a broader BufferZoneCorp and RubyGems cluster of malicious packages.

    GoCompromised packageMalicious maintainer
  4. activecritical

    Malicious code in github.com/BufferZoneCorp/go-retryablehttp (Go)

    Malicious code was discovered in the Go package github.com/BufferZoneCorp/go-retryablehttp. The package steals credentials, establishes SSH access, and tampers with build and workflow environment variables. It is part of a broader cluster of malicious packages affecting both Go and RubyGems ecosystems.

    GoCompromised packageMalicious maintainer