Bitcoin-stealing malware found in RubyGems

In the RubyGems repository, malware has been found that steals cryptocurrency. This was reported by reported by Sonatype specialists.

The malware was distributed in the packages pretty_color and ruby-bitcoin and targeted Windows devices. Once it reached a victim’s computer, the malware replaced cryptocurrency wallet addresses in the clipboard with the attacker’s wallet address, aiding in the theft of cryptocurrency.

The threat was difficult to detect because pretty_color contained legitimate files from a well-known open-source component colorize.

A textual version of the malicious script used in the attacks was found by researchers on GitHub under an unrelated account.

«The substitution of Bitcoin wallet addresses in the clipboard seems more like plain mischief on the part of an amateur attacker than a sophisticated extortion operation», say Sonatype analysts.

The malware has now been removed from the platform.

In April, hackers uploaded 725 malicious libraries to the RubyGems repository that stole data from users’ clipboard. The malicious libraries were masqueraded as legitimate libraries with nearly identical names.

Subscribe to ForkLog news on Telegram: ForkLog Feed — the full feed of news, ForkLog — the most important news and polls.