The RubyGems package repository removed 18 backdoors from Ruby 11 software libraries. The backdoors were meant to launch secret cryptocurrency mining (via ZDNet).
Ruby 11
Dutch Ruby developer Jan Dintel said the code found in rest-client would send the target’s URL and environment variables to a remote Ukrainian server. “Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider.”
The backdoor also let the attacker send a cookie to the target and let them remotely execute commands. RubyGems found the code was used for cryptocurrency miners. 10 other projects were found to contain this code.
- rest-client: 1.6.10 (downloaded 176 times since August 13, 2019), 1.6.11 (downloaded 2 times since August 14, 2019), 1.6.12 (downloaded 3 times since August 14, 2019), and 1.6.13 (downloaded 1,061 times since August 14, 2019)
- bitcoin_vanity: 4.3.3 (downloaded 8 times since May 12, 2019 )
- lita_coin: 0.0.3 (downloaded 210 times since July 17, 2019)
- coming-soon: 0.2.8 (downloaded 211 times since July 17, 2019)
- omniauth_amazon: 1.0.1 (downloaded 193 times since July 26, 2019)
- cron_parser: 0.1.4 (downloaded 2 times since July 8, 2019), 1.0.12 (downloaded 3 times since July 8, 2019), and 1.0.13 (downloaded 248 times since July 8, 2019)
- coin_base: 4.2.1 (downloaded 206 times since July 9, 2019) and 4.2.2 (downloaded 218 times since July 16, 2019)
- blockchain_wallet: 0.0.6 (downloaded 201 times since July 10, 2019) and 0.0.7 (downloaded 222 times since July 16, 2019)
- awesome-bot: 1.18.0 (downloaded 232 times since July 15, 2019)
- doge-coin: 1.0.2 (downloaded 213 times since July 17, 2019)
- capistrano-colors: 0.5.5 (downloaded 175 times since August 1, 2019)
All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.
Projects that rely on these libraries in their dependency tree are advised to remove or upgrade/downgrade to a safe version.