Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects.
The malicious code was first discovered yesterday[1] inside four versions of rest-client, an extremely popular Ruby library.
According to an analysis by Jan Dintel[2], a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine.
"Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider," Dintel said.
The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands.
A subsequent investigation[3] by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects:
rest-client: 1.6.10 (downloaded 176 times since August 13, 2019), 1.6.11 (downloaded 2 times since August 14, 2019), 1.6.12 (downloaded 3 times since August 14, 2019), and 1.6.13 (downloaded 1,061 times since August 14, 2019)
bitcoin_vanity: 4.3.3 (downloaded 8 times since May 12, 2019 )
lita_coin: 0.0.3 (downloaded 210 times since July 17, 2019)
coming-soon: 0.2.8 (downloaded 211 times since July 17, 2019)
omniauth_amazon: 1.0.1 (downloaded 193 times since July 26, 2019)
cron_parser: 0.1.4 (downloaded 2 times since July 8, 2019), 1.0.12 (downloaded 3 times since July 8, 2019), and 1.0.13 (downloaded 248 times since July 8, 2019)
coin_base: 4.2.1 (downloaded 206 times since July 9, 2019) and 4.2.2 (downloaded 218