Security researchers from Socket have found that a group of attackers has been exploiting the RubyGems code repository for over two years, turning seemingly helpful tools into password-stealing malware.
We build amazing things using shared, open-source code, trusting that the building blocks we use are safe. But the discovery by Socket is a reminder of how fragile that trust can be.
Imagine downloading a tool that promises to automate your social media posts. You run it, a little window pops up asking for your username and password, and it does exactly what it says on the tin. What you don’t see is that in the split second before the tool gets to work, your credentials have been bundled up and sent to a server on the other side of the world, straight into the hands of a hacker.
That was the devious trick behind a long-running RubyGems malware campaign. Since at least March 2023, a threat actor operating under various aliases has published 60 of these malicious packages. They were downloaded more than 275,000 times. While not every download led to an infection, it gives you a sense of the scale of this patient and persistent operation.
The campaign managed to remain hidden in plain sight for a long time. The attackers targeted a unique group: so-called “grey-hat marketers”. These are operators who use aggressive automation and disposable identities to boost search engine rankings or create synthetic buzz online.
Because this group often uses throwaway accounts, they were the perfect victims. If an account got compromised, they’d likely just discard it and create a new one without ever reporting the breach. This allowed the RubyGems malware to thrive undetected.
The attackers showed a clear focus on South Korea. The tools’ interfaces, internal notes, and help text were all written in Korean, and the stolen data was often sent to servers with Korean domains.
However, perhaps most worrying is where the campaign recently turned its attention: financial forums.
Several of the malicious gems were designed as autoposters for stock discussion boards, targeting promoters who wanted to flood forums with hype about certain stocks. The tools would help them spam the forums, but would also steal their login details. This creates a possibility of the attackers using this access for wider market manipulation or disinformation campaigns.
Socket has reported the malware operation though, at the time, 16 of the malicious gems were still active and available for download on RubyGems.
See also: Lazarus Group hackers increase open-source weaponisation
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
