Open-source security firm Sonatype reported about new malicious RubyGems packages have been discovered that are being used in a supply chain attack to steal cryptocurrency from unsuspecting users.
RubyGems is a package manager for the Ruby programming language that allows developers to download and integrate code developed by other people into their programs. As anyone can upload a Gem to the Ruby gem repository, it allows threat actors to upload malicious packages to the repository in the hopes that another developer will integrate it into their program.
The newly discovered malicious RubyGems install a clipboard hijacker. These packages are masquerading as a bitcoin library and a library for displaying strings with different color effects.
A clipboard hijacker monitors the Windows clipboard for cryptocurrency addresses, and if one is detected, replaces it with an address under the attacker’s control. Unless a user double-checks the address after they paste it, the sent coins will go to the attacker’s cryptocurrency address instead of the intended recipient.
The malicious packages are named ‘pretty_color-0.8.1.gem’ and ‘ruby-bitcoin-0.0.20.gem’ and contain a malicious Ruby script that creates VBS scripts that act as clipboard hijackers.
The ruby-bitcoin-0.0.20.gem package was added to RubyGems on December 7th and had 81 downloads. The pretty_color-0.8.1.gem package was added on December 13th and had 61 downloads. Both packages were removed by Ruby gems the day after they were added to the repository. At this time, none of the cryptocurrency addresses have received any funds.
