Sixty malicious Ruby gems containing credential-stealing code have been downloaded over 275,000 times since March 2023, targeting developer accounts.
The malicious Ruby gems were discovered by Socket, which reports they targeted primarily South Korean users of automation tools for Instagram, TikTok, Twitter/X, Telegram, Naver, WordPress, and Kakao.
RubyGems is the official package manager for the Ruby programming language, enabling the distribution, installation, and management of Ruby libraries, known as gems, much like npm for JavaScript or PyPI for Python.
The malicious gems in this campaign were published onto RubyGems.org under various aliases over the years. The offending publishers are zon, nowon, kwonsoonje, and soonje, spreading the activity over multiple accounts to make the activity harder to trace and block.
The full list of the malicious packages can be found in Socket's report, but below are some notable cases of deceptively named or typosquatted packages:
WordPress-style automators: wp_posting_duo, wp_posting_zon
Telegram-style bots: tg_send_duo, tg_send_zon
SEO/backlink tools: backlink_zon, back_duo
Blog platform mimics: nblog_duo, nblog_zon, tblog_duopack, tblog_zon
Naver Café interaction tools: cafe_basics[_duo], cafe_buy[_duo], cafe_bey, *_blog_comment, *_cafe_comment
... continue reading