Typosquatting RubyGems mixed with malware containing Bitcoin has been downloaded thousands of times • The VPNOnlineFree


“Apparently no transaction has been made”, but the problem highlights the risks in the software supply chain


Malware in software packages means that even trusted repositories are not always secure

A researcher discovered malicious packages in the RubyGems repository, one of which was downloaded more than 2,000 times.

RubyGems, the standard package manager for Ruby, was studied by threat analyst Tomislav Maljic at ReversingLabs, who pointed out research based on the analysis of packages subject to the repository which have names similar to existing popular gems – possible case of “typosquatting”, where the authors name a package using a common spelling mistake or replace a character to induce developers to error by installing it by mistake.

The search found more than 400 suspicious gems, including “atlas-client”, which was downloaded 2,100 times by developers who were probably looking for the legitimate gem named atlas_client. The rogue gems contained renamed Windows executables with a .png extension, as well as a Ruby script that renamed and executed the file. The malware then created a new VBScript file with an auto-executing VPNOnlineFree key to run it on startup – old-fashioned malware and nothing too technical.

“It starts an infinite loop where it captures data from the user's clipboard … the script then checks to see if the data on the clipboard matches the format of a cryptocurrency wallet address,” reported Maljic. “If so, he replaces the address with an address controlled by the attacker.”

In truth, the malware is not very advanced. He is looking for a Ruby developer on Windows whose system is also used for Bitcoin transactions. “A rare breed indeed,” said Maljic. “At the time of writing this blog, it appears that no transactions have been made for this portfolio.”

He added that “the RubyGems security team has been contacted and all packages of reported users have been removed from the repository”.

The biggest concern is how easy it is to integrate malware into one of the most used package managers. Modern software development is based on packages downloaded from repositories, not only RubyGems but also via NPM (JavaScript libraries), NuGet (.NET packages), Maven (Java), Cargo (Rust), PEAR for PHP, PyPI ( Python) and many others. Last year, the same researcher reported on an NPM package that steals passwords. In 2018, malicious code was found in the event flow of the NPM package and was downloaded almost 8 million times, according to open-source security specialist Snyk.

In February, the Linux Foundation released a white paper [PDF] on the security of the open source software supply chain, concluding: “Software repositories, package managers, and vulnerability databases are all necessary components of the software supply chain, as are developers and the end users who operate them. Unless and until the inherent weaknesses in their current designs and procedures are addressed, however, they will continue to expose the businesses and developers who rely on them to significant risk. “

This includes not only malware, but also programming errors that introduce vulnerabilities.

The foundation is committed to convening “a meeting of world technology leaders to work between application and product security groups to devise collective solutions to solve these problems”.

There are tools to counter threats, including commercial software projects like OWASP Addictionand the efforts of repositories to improve security. “We will integrate GitHub and npm to improve the security of the open source software supply chain,” said Nat Friedman, CEO of GitHub. said last week on the acquisition of NPM.

It's a tricky problem, and it's not just when writing code that developers need to be careful what they type. ®

Webcast: Build the Next Generation of Your Business in the Public Cloud


Notify of
Inline Feedbacks
View all comments