
Mining for Malicious Ruby Gems - afrcnc
https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems
======
bhaak
> The perfect candidate to succumb to this type of “spray-and-pray” supply
> chain attack is a Ruby developer whose environment of choice is a Windows
> system that’s also periodically being used to make BitCoin transactions. A
> rare breed indeed.

Very rare indeed. I suppose every package had their own BTC address. I wonder
how much they got away with.

But I thought rubygems does a similarity check for names and reject or flag
them for manual verification if the name is too similar to an existing one?

------
quesera
I would support a Great Renaming, wherein underscores and dashes are
considered equivalent and insignificant:

    
    
        action-mailer_cache_delivery
        action-mailer-cache-delivery
        actionmailercachedelivery
        act-ion-ma-iler_c-ache-deli_very
    

Should resolve to the same entry in RubyGems.

I would also support this usage in `require` lines.

The "experts-exchange" (or "pen-is-mightier") problem is tiny compared to the
frustration and security risk of the present policy.

------
lonelappde
Free software projects need to converge on standard platforms and tools. On
the modern complex world, it's bad enough that they can't keep with
proprietary software features and polish. But they can't keep up with the
black hat industry either.

