Backdoored Ruby gems stole credentials, injected cryptomining code

The compromise of several older versions of a popular Ruby software package (aka a Ruby “gem”) has led to the discovery of a more widespread effort to inject malware and mining software through Trojanized gems.

What happened?

Two days ago, developer Jussi Koljonen announced that a compromised version of rest-client, a popular HTTP and REST client for Ruby, has apparently been uploaded to RubyGems, the Ruby community’s gem hosting service.

The injected code would fetch malicious code from pastebin.com and collect and send to the attacker’s server sensitive information from the client’s host machine.

“Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider,” Koljonen noted, and added that it also allowed the attacker to deliver and execute additional malicious code on the host machine (by way of a signed cookie).

Apparently, the attacker wanted to use the infected hosts to surreptitiously mine cryptocurrency.

The discovery triggered a wider investigation, and the same code was found in nearly a dozen other gems: bitcoin_vanity, lita_coin, coming-soon, omniauth_amazon, cron_parser, coin_base, blockchain_wallet, awesome-bot, doge-coin and capistrano-colors, all of which have been removed by the RubyGems team. The compromised accounts of the developers have also been locked.

All in all, the various compromised gems were downloaded a little over 3,500 times. Rest-client 1.6.13, the gem that had triggered the discovery of the scheme, had 1,061 downloads.

Attacks on developer accounts

Legitimate software packages, modules and libraries getting compromised is not a rare occurrence. Recent incidents include malicious Python libraries found on PyPI and malicious packages on npm.

Matthew Manning, the creator of rest-client said that he’s responsible for the compromise.

“My RubyGems.org account was using an insecure, reused password that has leaked to the internet in other breaches. I made that account probably over 10 years ago, so it predated my use of password managers and I haven’t used it much lately, so I didn’t catch it in a 1Password audit or anything,” he explained.

Other Hacker News commenters put forward the idea that RubyGems, npm and other registries should regularly check password dumps against their own account databases so they may spot vulnerable developer accounts and notify developers about them.

The incident also raised the question of whether these package repositories should make the use of two-factor authentication for developer accounts mandatory.