Security News > 2020 > December > RubyGems Packages Laced with Bitcoin-Stealing Malware

RubyGems Packages Laced with Bitcoin-Stealing Malware
2020-12-17 19:17

RubyGems, an open-source package repository and manager for the Ruby web programming language, has taken two of its software packages offline after they were found to be laced with malware.

"The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user's clipboard with the attacker's," according to Ax Sharma, researcher at Sonatype, writing in a Wednesday posting.

While only containing the malicious code, is a variation of "Bitcoin-ruby," which is a legitimate gem, Sharma told Threatpost "Bitcoin-ruby" is a Ruby library for interacting with the bitcoin protocol/network, with half a million downloads.

"We don't know who downloaded these packages and if they were included by a developer in their application as a dependency. If that was the case, we can't tell who further downloaded those applications shipped with pretty color or ruby bitcoin in them."

"While these gems stole cryptocurrency, as we have repeatedly seen with open-source malware striking GitHub, npm and RubyGems, attackers can exploit trust within the open-source community to deliver pretty much anything malicious, from sophisticated spying trojans like njRAT, to a whole new family of Discord info-stealing malware CursedGrabber."


News URL

https://threatpost.com/rubygems-packages-bitcoin-stealing-malware/162360/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Rubygems 2 0 3 16 4 23