A sophisticated campaign deploying 60 malicious Ruby gems has infected developer environments over 275,000 times since 2023, stealing credentials for platforms like Instagram, TikTok, and WordPress. Security firm Socket uncovered the operation, revealing deceptive GUIs and hardcoded C2 servers siphoning plaintext credentials to attacker-controlled domains. At least 16 of these dangerous packages remain active on RubyGems despite reports.