Security News

RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication for popular package maintainers, following the footsteps of NPM and PyPI. To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022. What's more, gem maintainers who cross 165 million cumulative downloads are expected to receive reminders to turn on MFA until the download count touches the 180 million thresholds, at which point it will be made mandatory.

RubyGems.org, the Ruby programming community's software package registry, now requires maintainers of popular "Gems" to secure their accounts using multi-factor authentication. The added security precaution is intended as an additional barrier to account takeovers, the second-most common software supply-chain attack, according to a 2021 research paper, "Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages."

The maintainers of the RubyGems package manager have addressed a critical security flaw that could have been abused to remove gems and replace them with rogue versions under specific circumstances. "Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so," RubyGems said in a security advisory published on May 6, 2022.

The bug, dubbed CVE-2022-29176, could have allowed attackers to remove a package that wasn't theirs, and then to replace it with modified version of their own. The RubyGems security bulletin notes that package owners receive an automatic email notification whenever a package of theirs is yanked or published, yet no support tickets were ever received to report peculiar and unexpected changes of this sort.

An initial audit from RubyGems reveals that the vulnerability has not been exploited within the last 18 months to alter any gems, but a deeper audit is still in progress with results yet to be announced. This week, RubyGems announced that a critical bug could've enabled any RubyGems.org user to yank versions of a gem that they didn't have authorization for, and replace the gem's contents with newer files.

GitHub has recently expanded its secrets scanning capabilities to repositories containing PyPI and RubyGems registry secrets. The move helps protect millions of applications built by Ruby and Python developers who may inadvertently be committing secrets and credentials to their public GitHub repos.

RubyGems, an open-source package repository and manager for the Ruby web programming language, has taken two of its software packages offline after they were found to be laced with malware. "The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user's clipboard with the attacker's," according to Ax Sharma, researcher at Sonatype, writing in a Wednesday posting.

Two Ruby gems that were found to pack malware capable of running persistently on infected machines were removed recently from the RubyGems hosting service. The two gems, pretty color and ruby-bitcoin, contained malware that was targeting Windows machines and which was meant to replace any cryptocurrency wallet address in the clipboard with an attacker-supplied one.

New malicious RubyGems packages have been discovered that are being used in a supply chain attack to steal cryptocurrency from unsuspecting users. As anyone can upload a Gem to the RubyGems repository, it allows threat actors to upload malicious packages to the repository in the hopes that another developer will integrate it into their program.

Rather than reinventing the wheel by writing their own code to handle common tasks, they write it once as a software package and upload it to repositories. These repositories contain thousands of packages for developers to download. The upside is that it accelerates software development.