Over 700 malicious packages with names similar to legitimate ones have been uploaded to RubyGems, a popular repository of third-party components for the Ruby programming language. The upload took place over the course of a week in February, researchers report. The rogue packages contained a malicious script that, when executed on Windows computers, hijacked cryptocurrency transactions by replacing the recipient’s wallet address with one controlled by the attacker.

Supply-chain attacks through third-party components and libraries have impacted the users of several open-source component repositories in recent years, including NPM and PyPi, which are used by JavaScript and Python developers, respectively. One of the techniques, which was also employed in this latest attack against RubyGems, is typosquatting: The publishing of packages with names similar to existing ones but with common typos developers are likely to make when typing package names manually — for example rspec-mokcs instead of rspec-mocks.

Software repositories have few protections

“There are very few protections out there for software developers to make sure that packages they install from these repositories are malware free,” Tomislav Pericin, co-founder and chief software architect at threat Intelligence firm ReversingLabs, tells CSO. “Software security vendors that specialize in malware detection typically do not integrate with development environments. Currently the malware detection task is outsourced to endpoint protection solutions which in turn focus primarily on different kinds of malware that targets the end user. There is a huge gap in the market, which is being exploited by malware authors.”

Even though in this case the attacker was interested in stealing cryptocurrency, the clipboard hijacking script they used could have easily been designed to steal any login credentials that victims copied and pasted on their computers. Since these attacks target developers who have access to various internal development and software building environments, the impact can be serious and could lead to further supply-chain attacks against the users of the software they produce.

How the RubyGems attack worked

Modern applications have only a small percentage of original code. Most of their codebases come from reusable components developed by others and published on repositories like NPM, PyPi, RubyGems and others. While this simplifies and speeds software development, it introduces security issues related to code integrity and safety that are not yet fully addressed by the industry.

Components written in the Ruby programming language are called gems and are essentially TAR archives with a particular directory structure. They include a manifest file, binaries, libraries and tests. One interesting feature is that they can include extensions in the form of executable code, and it’s this functionality that the attacker chose to abuse in this case.

Source Article