Attackers poisoned 60+ Ruby gems and Go modules, then waited for CI pipelines to install them and steal credentials

Socket disclosed a fresh wave of supply-chain attacks targeting Ruby gems and Go modules: more than 60 typosquatted packages were uploaded to RubyGems and the Go module registry, designed to look like legitimate dependencies developers might pull into a CI pipeline. Once installed, the packages exfiltrate environment variables (which typically include AWS keys, GitHub tokens, and database credentials in CI environments) to attacker-controlled servers. The targeting is deliberate: typosquats picked names close to popular gems and Go libraries. This is the same operational pattern as the SAP npm compromise covered Wednesday, but targeting Ruby and Go ecosystems.

Check

Review your CI pipelines for any Ruby gem or Go module added in the past month, and confirm every package name matches the canonical upstream exactly.

Affected

Any organization running CI/CD pipelines that install Ruby gems or Go modules without strict pinning. Particularly acute for organizations with broad CI environment variables (AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, DATABASE_URL exposed to install scripts). Developer workstations are also exposed when developers run 'gem install' or 'go get' without verifying package names.

Fix

Pin every Ruby gem and Go module to specific versions and verify the upstream name matches. Move CI secrets out of environment variables and into ephemeral credential providers (OIDC for AWS, GitHub's masked secrets, Hashicorp Vault). Review CI logs for installs of packages whose names look like typosquats. Use Socket, Snyk, or equivalent tools to flag suspicious packages before install.