As developers increasingly embrace off-the-shelf software components into their apps and services, threat actors are abusing open-source repositories such as RubyGems to distribute malicious packages, intended to compromise their computers or backdoor software projects they work on.
In the latest research shared with The Hacker News, cybersecurity experts at ReversingLabs revealed over 700 malicious gems — packages written in Ruby programming language — that supply chain attackers were caught recently distributing through the RubyGems repository.
The malicious campaign leveraged the typosquatting technique where attackers uploaded intentionally misspelled legitimate packages in hopes that unwitting developers will mistype the name and unintentionally install the malicious library instead.
ReversingLabs said the typosquatted packages in question were uploaded to RubyGems between February 16 and February 25, and that most of them have been designed to secretly steal funds by redirecting cryptocurrency transactions to a wallet address under the attacker’s control.
In other words, this particular supply chain attack targeted Ruby developers with Windows systems who also happened to use the machines to make Bitcoin transactions.
After the findings were privately disclosed to RubyGems maintainers, the malicious gems and associated attackers’ accounts were removed, almost two days later on February 27.
“Being closely integrated with the programming languages, the repositories make it easy to consume and manage third-party components,” the cybersecurity firm said.
“Consequently, including another project dependency has become as easy as clicking a button or running a simple command in the developer environment. But just clicking a button or running a simple command can sometimes be a dangerous thing, as threat actors also share an interest in this convenience by compromising developer accounts or their build environments, and by typosquatting package names,” it added.
images from Hacker News