A set of 60 malicious packages targeting the RubyGems ecosystem has been discovered, active since at least March 2023. These packages masquerade as automation tools for social media and messaging services to steal user credentials. The gems have been downloaded over 275,000 times. Users enter their credentials into a user interface, after which the information is exfiltrated to external servers. Some packages target financial platforms to manipulate discussions and public perception, using specific domains for data capture.
A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users.
While the identified gems offered the promised functionality, such as bulk posting or engagement, they also harbored covert functionality to exfiltrate usernames and passwords to an external server under the threat actor's control.
Notable gems like njongto_duo and jongmogtolon focus on financial discussion platforms, marketed as tools to flood investment-related forums with ticker mentions and stock narratives.
The servers used to receive captured information include programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr, which advertise bulk messaging, phone number scraping, and automated social media tools.
Collection
[
|
...
]