On RubyGems, 60 malicious packages were discovered that masqueraded as harmless tools for automating social networks, blogs, and messengers. The gems stole users’ credentials and, since March 2023, have been downloaded more than 275,000 times.
Experts at the company Socket, who observed this campaign, report that the packages were primarily aimed at users in South Korea who use automation tools to work with TikTok, X, Telegram, Naver, WordPress, Kakao, and so on.
The full list of malicious packages can be found in Socket’s report. Below are examples of typosquatting used by the attackers.
- WordPress automation: wp_posting_duo, wp_posting_zon.
- Telegram bots: tg_send_duo, tg_send_zon.
- SEO tools for backlinks: backlink_zon, back_duo.
- Tools for blog platforms: nblog_duo, nblog_zon, tblog_duopack, tblog_zon.
- Tools for Naver Café: cafe_basics[_duo], cafe_buy[_duo], cafe_bey, *_blog_comment, *_cafe_comment.
The malware was published on RubyGems.org under the names of various publishers: zon, nowon, kwonsoonje, and soonje. Distributing the malicious activity across multiple accounts made tracking and blocking the attacks more difficult.
It is emphasized that all 60 gems had a graphical user interface that looked legitimate and implemented the advertised functionality. At the same time, all data entered by victims into login forms was transmitted to hard-coded addresses of the attackers’ servers (programzon[.]com, appspace[.]kr, marketingduo[.]co[.]kr).
In some cases, the tools also displayed error or success messages, even though they did not actually perform any logins or API requests.
Ultimately, usernames and passwords were transmitted in plaintext to the malware operators, along with device MAC addresses (for fingerprinting) and the names of the malicious packages (to track the effectiveness of the campaign).
Researchers note that they have found the stolen data for sale on Russian-language darknet marketplaces.
The report notes that at least 16 of the 60 malicious gems remain available for download, even though Socket notified the RubyGems team about all of the malicious packages.
Experts remind developers to always carefully scrutinize packages from open-source repositories for suspicious code (e.g., obfuscation), consider the author’s reputation and release history, and rely on versions that have already been vetted and are known to be safe.
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →