This article is more than 1 year old

No REST for the wicked: Ruby gem hacked to siphon passwords, secrets from web devs

Developer account cracked due to credential reuse, source tampered with and released to hundreds of programmers

An old version of a Ruby software package called rest-client that was modified and released about a week ago has been removed from the Ruby Gems repository – because it was found to be deliberately leaking victims' credentials to a remote server.

Jussi Koljonen, a developer with Visma in Helsinki, Finland, discovered the hacked code in rest-client v1.6.13, and opened an issue to discuss the matter on the GitHub repo for the software. The gem, originally intended to help Ruby developers send REST requests to their web apps, was altered to fetch malicious code from that steals usernames, passwords, and other secrets from the client's host machine.

According to Jan Dintel, a developer with BEEQUIP in Rotterdam, when the infected client is used to send a REST request to a non-localhost website, the malware siphons off the URL of that site along with environment variables that may include authentication tokens, API keys, and other secrets you really don't want in the wrong hands. These details can be reused by the malicious code's mastermind to hijack the victims' accounts.

It also allowed arbitrary Ruby code to run on the infected host, and overloaded the #authenticate method in the Identity class to obtain and leak the user's email address and password every time the function is called to log into a service.

Cartoon man with hat and tie. Facial features replaced by question mark.

Malicious code ousted from PureScript's npm installer – but who put it there in the first place?


A former maintainer of the cracked gem, Matthew Manning, a software developer based in Atlanta, Georgia, promptly apologized, saying that his account had been compromised.

"I take responsibility for what happened here," he explained in a post on Hacker News. "My account was using an insecure, reused password that has leaked to the internet in other breaches. I made that account probably over 10 years ago, so it predated my use of password managers and I haven't used it much lately, so I didn't catch it in a 1Password audit or anything. Sometimes we miss things despite our best efforts. Rotate your passwords, kids."

In an email to The Register, Manning said, "I believe this type of attack is called 'credential stuffing' which is a subcategory of brute force attack. I had no idea anything had happened until a security researcher emailed me yesterday, around the time the GitHub issue was opened."

The CVE created for the incident is CVE-2019-15224. It's estimated that only about 1,000 people downloaded rest-client v1.6.13, so the fallout from the incident is likely to be minimal.

The maintainers of removed not only rest-client v1.6.10 through v1.6.13 (released August 13 and 14), but a handful of other compromised gems with related code, including:

  • bitcoin_vanity: 4.3.3
  • lita_coin: 0.0.3
  • coming-soon: 0.2.8
  • omniauth_amazon: 1.0.1
  • cron_parser: 1.0.12 1.0.13 0.1.4
  • coin_base: 4.2.2 4.2.1
  • blockchain_wallet: 0.0.6 0.0.7
  • awesome-bot: 1.18.0
  • doge-coin: 1.0.2
  • capistrano-colors: 0.5.5

The incident recalls another compromised gem spotted last month, strong_password v0.0.7, and similar attacks on several JavaScript libraries distributed through the npm repository, like the compromises of the purescript-installer, electron-native-notify and event-stream.

When successful, attacks on developer accounts provide miscreants with a way to multiply their effort – a malicious library or module can turn a single hacked account into many when other developers incorporate the compromised code and others opt to use the resulting applications.

Since developer-focused attacks have become more common, software repositories like, npm, and PyPI have encouraged developers to use multifactor authentication to help defend their accounts. ®

More about


Send us news

Other stories you might like