Typosquatting RubyGems laced with Bitcoin-nabbing malware have been downloaded thousands of times

A researcher has uncovered malicious packages in the RubyGems repository, one of which was downloaded more than 2,000 times.

RubyGems, the standard package manager for Ruby, was studied by threat analyst Tomislav Maljic at ReversingLabs, who highlighted research based on analysing packages submitted to the repository that have similar names to existing popular gems – possible cases of "typosquatting," where perpetrators name a package using a common misspelling or substitute a character to mislead developers into installing it by mistake.

The research found over 400 suspect gems including "atlas-client", which was downloaded 2,100 times by developers likely looking for the legitimate gem named atlas_client. The rogue gems contained Windows executables renamed with a .png extension, along with a Ruby script that renamed and ran the file. The malware then created a new VBScript file along with an autorun registry key to run it on startup – old-school malware and nothing too technical.

"It starts an infinite loop where it captures the user's clipboard data... the script then checks if the clipboard data matches the format of a cryptocurrency wallet address," Maljic reported. "If it does, it replaces the address with an attacker-controlled one."

In truth, the malware is not very advanced. It is looking for a Ruby developer on Windows whose system is also used for Bitcoin transactions. "A rare breed indeed," remarked Maljic. "At the time of writing this blog, seemingly no transactions were made for this wallet."

He added that "the RubyGems security team has been contacted, and all packages from reported users have been removed from the repository".

The bigger concern is how easy it is to get malware into one of the most widely used package managers. Modern software development is reliant on packages downloaded from repositories, not only RubyGems but also via NPM (JavaScript libraries), NuGet (.NET packages), Maven (Java), Cargo (Rust), PEAR for PHP, PyPI (Python) and many others. Last year the same researcher reported on an NPM package that steals passwords. In 2018, malicious code was found in the NPM package event-stream and was downloaded nearly 8 million times, according to open-source security specialist Snyk.

In February, the Linux Foundation published a white paper [PDF] on the security of the open-source software supply chain, concluding: "Software repositories, package managers, and vulnerability databases are all necessary components of the software supply chain, as are the developers and end users who leverage them. Unless and until the weaknesses inherent within their current designs and procedures are addressed, however, they will continue to expose the companies and developers who rely upon them to significant risk."

This includes not only malware, but also programming errors that introduce vulnerabilities.

The foundation undertook to convene "a meeting of global technology leaders in working across application and product security groups in order to design collective solutions to address these problems."

Tools exist to counter threats, including commercial software projects like OWASP Dependency Track, and the efforts of repositories to improve security. "We'll integrate GitHub and npm to improve the security of the open source software supply chain," GitHub CEO Nat Friedman said last week about the acquisition of NPM.

It is a tricky problem, and it is not only when writing code that developers should be careful what they type. ®