Published in News

RubyGems maintainers pull packages

by on22 August 2019


11 Ruby libraries had a backdoor

Maintainers of the RubyGems package repository have pulled 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects.

The malicious code was discovered yesterday inside four versions of rest-client, an extremely popular Ruby library.

Dutch Ruby developer Jan Dintel said that the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine.

Depending on your setup this can include credentials of services that you use. for example database, payment service provider, Dintel said.

The code contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code.

RubyGems staff also uncovered similar code in 10 other projects. All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name. All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.

Last modified on 22 August 2019
Rate this item
(0 votes)