A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users.
The activity is assessed to be active since at least March 2023, according to the software supply chain security company Socket. Cumulatively, the gems have been downloaded more than 275,000 times.
That said, it bears noting that the figure may not accurately represent the actual number of compromised systems, as not every download results in execution, and it’s possible several of these gems have been downloaded to a single machine.
“Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver,” security researcher Kirill Boychenko said.
While the identified gems offered the promised functionality, such as bulk posting or engagement, they also harbored covert functionality to exfiltrate usernames and passwords to an external server under the threat actor’s control by displaying a simple graphical user interface to enter users’ credentials.
Some of the gems, such as njongto_duo and jongmogtolon, are notable for focusing on financial discussion platforms, with the libraries marketed as tools to flood investment-related forums with ticker mentions, stock narratives, and synthetic engagement to amplify visibility and manipulate public perception.
The servers that are used to receive the captured information include programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr. These domains have been found to advertise bulk messaging, phone number scraping, and automated social media tools.
Victims of the campaign are likely to be grey-hat marketers who rely on such tools to run spam, search engine optimization (SEO), and engagement campaigns that artificially boost engagement.
“Each gem functions as a Windows-targeting infostealer, primarily (but not exclusively) aimed at South Korean users, as evidenced by Korean-language UIs and exfiltration to .kr domains,” Socket said. “The campaign evolved across multiple aliases and infrastructure waves, suggesting a mature and persistent operation.”
“By embedding credential theft functionality within gems marketed to automation-focused grey-hat users, the threat actor covertly captures sensitive data while blending into activity that appears legitimate.”
The development comes as GitLab detected multiple typosquatting packages on the Python Package Index (PyPI) that are designed to steal cryptocurrency from Bittensor wallets by hijacking the legitimate staking functions. The names of the Python libraries, which mimic bittensor and bittensor-cli, are below –
- bitensor (versions 9.9.4 and 9.9.5)
- bittenso-cli
- qbittensor
- bittenso
“The attackers appear to have specifically targeted staking operations for calculated…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
