{"id":"MAL-2026-3621","summary":"Malicious code in github.com/BufferZoneCorp/go-envconfig (Go)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: google-open-source-security (a4e4f74e90479d472a307d311d48214827e21cf93ecf9b0b62ff2cb72adb2c9e)\nThis package is a malicious packages part of the Go BufferZoneCorp and RubyGems knot-theory clusters.\nThe packages in this cluster steal credentials, set up ssh access and tamper with build/workflow environmetn variables.\n","modified":"2026-05-13T04:18:16.294489Z","published":"2026-05-13T03:09:00Z","database_specific":{"iocs":{"urls":["https://webhook.site/49c21843-c27c-4a1b-b1f6-037c3998055f"]},"malicious-packages-origins":[{"source":"google-open-source-security","modified_time":"2026-05-13T03:51:44Z","sha256":"a4e4f74e90479d472a307d311d48214827e21cf93ecf9b0b62ff2cb72adb2c9e","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"import_time":"2026-05-13T03:53:19.895958Z"}]},"references":[{"type":"ARTICLE","url":"https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci"}],"affected":[{"package":{"name":"github.com/BufferZoneCorp/go-envconfig","ecosystem":"Go","purl":"pkg:golang/github.com/BufferZoneCorp/go-envconfig"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/go/github.com/bufferzonecorp/go-envconfig/MAL-2026-3621.json"}}],"schema_version":"1.7.5"}