Two malicious Ruby packages have been observed installing a clipboard hijacker that executes itself persistently on infected Windows machines. If developers integrate the malicious packages with their project, it would create a supply chain attack.
The two malicious packages: ruby-bitcoin and pretty_color, were found masquerading as a bitcoin library and a library for showing strings with various color effects, respectively.
-> The ruby-bitcoin included an extconf [.] Rb script with an obfuscated base64 encoded string. This creates a malicious VBS file and sets it up to start automatically whenever a user logs into Windows.
-> The package pretty_color had valid files that were taken from a trusted open-source component, colorize. It was an exact copy of the benign colorize package and has all its code, including README.
-> The ruby-bitcoin package was added to RubyGems on December 7 with 81 downloads. Another one, the pretty_color package was added on December 13, having 61 downloads.
None of the cryptocurrency addresses had received any funds as both the malicious clipboard packages were removed just a day after being added to their repository.
The two malicious packages: ruby-bitcoin and pretty_color, were found masquerading as a bitcoin library and a library for showing strings with various color effects, respectively.
-> The ruby-bitcoin included an extconf [.] Rb script with an obfuscated base64 encoded string. This creates a malicious VBS file and sets it up to start automatically whenever a user logs into Windows.
-> The package pretty_color had valid files that were taken from a trusted open-source component, colorize. It was an exact copy of the benign colorize package and has all its code, including README.
-> The ruby-bitcoin package was added to RubyGems on December 7 with 81 downloads. Another one, the pretty_color package was added on December 13, having 61 downloads.
None of the cryptocurrency addresses had received any funds as both the malicious clipboard packages were removed just a day after being added to their repository.