Please disable your adblock and script blockers to view this page

Supply-chain attack hits RubyGems repository with 725 malicious packages


RubyGems
ReversingLabs
JimCarrey
Bitcoin
Microsoft Software
ClipboardData
Shell
|
ReadingHow
PyPi
NPM
JavaScript
Colorama
Python
the Ars Orbital Transmission
CNMN Collection WIRED Media Group
Condé Nast


Dan Goodin
Tomislav Pericin
Ars
Tomislav Maljic
VBScript Sle
PyPi
Colourama
CoPay


ReversingLabs

No matching tags

No matching tags


Essentials.vbs
US

No matching tags

Positivity     37.00%   
   Negativity   63.00%
The New York Times
SOURCE: https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/
Write a review: Ars Technica
Summary

More than 725 malicious packages downloaded thousands of times were recently found populating RubyGems, the official channel for distributing programs and code libraries for the Ruby programming language.The malicious packages were downloaded almost 100,000 times, although a significant percentage of those are likely the result of scripts that automatically crawl all 158,000 packages available in the repository, Tomislav Pericin, the cofounder and chief software architect of security firm ReversingLabs, told Ars. All of them originated from just two user accounts: “JimCarrey” and “PeterGibbons.”The accounts, which ReversingLabs suspects may be the work of a single individual, used a variation of typosquatting—the technique of giving a malicious file or domain a name that's similar to a commonly recognizable name—to give the impression they were legitimate. As its persistence mechanism, it then creates a new autorun registry key “HCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Software Essentials.” With this, the malware ensures that it is run every time the system is started or rebooted.When the “Software Essentials.vbs” malicious script is executed, it starts an infinite loop where it captures the user’s clipboard data with the following lines of code:Set objHTML = CreateObject("htmlfile") The malicious package was downloaded 171 times, not including downloads from mirror sites.A month later, attackers managed to pull off an even more impressive feat when they sneaked a bitcoin-stealing backdoor into event-stream, a code library with 2 million downloads from the NPM repository.

As said here by Dan Goodin