
Supply-chain attack hits RubyGems repository with malicious packages - Tomte
https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/
======
N_A_T_E
Looks like they had a neat attack vector but their ultimate end goal didn’t
have a wide enough net.

After stealing windows users clipboard contents: “the threat actor is trying
to redirect all potential cryptocurrency transactions to their wallet address.
At the time of writing this blog, seemingly no transactions were made for this
wallet.”

------
afrcnc
Actual source: [https://blog.reversinglabs.com/blog/mining-for-malicious-
rub...](https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems)

[https://news.ycombinator.com/item?id=22906714](https://news.ycombinator.com/item?id=22906714)

~~~
kickscondor
The target was Ruby developers who use Windows and Bitcoin. I didn't get the
sense that common libraries are infected - more that there are hundreds of
libraries that are typosquatting. It would be interesting to find out if any
of these libs ended up as dependencies.

Love the TacoBell.check_win.

The most successful attack was a change of an underbar (atlas_client) to a
dash (atlas-client). Seems good to standardize these kind of non-alphanumeric
characters in library names. Still, seems like open source web stores like
this might need some level of human moderation?

------
Legogris
From the original article[0]:

> The script itself is rather simple. First, it creates a new VBScript Sle
> with the main malicious loop at the “%PROGRAMDATA%\Microsoft
> Essentials\Software Essentials.vbs” path. As its persistence mechanism, it
> then creates a new autorun registry key
> “HCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Software
> Essentials.” With this, the malware ensures that it is run every time the
> system is started or rebooted.

Good to see that the methods from 15 years ago are still valid.

[0]: [https://blog.reversinglabs.com/blog/mining-for-malicious-
rub...](https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems)

------
sytse
These attacks will become more common. I'm advocating to add a dependency
firewall to GitLab so that downloads of packages that show suspicious
behaviour will be paused. I've added some of the vectors of this attack to the
signals to watch for with [https://gitlab.com/gitlab-com/www-gitlab-
com/-/merge_request...](https://gitlab.com/gitlab-com/www-gitlab-
com/-/merge_requests/47009)

------
ckdarby
This is the kind of thing that leaves me with little confidence that
decentralised currency will mainstream as decentralised.

I've only seen three actual mainstream uses for crypto:

\- laundering or indirect laundering of money

\- Send or receive money without government oversight

\- Piggy back on as a ledger to not have to develop your own decentralised
ledger

------
thanksforfish
> this malicious gem had 2,100 downloads, close to 30% of the total downloads
> that the legitimate gem

I wonder if most of those downloads are fake to boost the download stats and
to give more credibility. Either way, that's troubling...

~~~
tinco
I've published a couple gems that I'm pretty sure no one uses, and after a few
months the downloads was in the hundreds, probably bots and mirrors. Most
likely the figure only makes when seen relative to other gems.

------
Techies4Trump
Anybody who doesn't use a dev VM these days is asking for trouble. It's too
easy for attackers to run malicious code on your machine with techniques like
this.

~~~
_eht
I would go as far as saying anyone who does not have control and awareness of
their dependencies is asking for trouble. VM be damned.

~~~
akira2501
That's part of the reason I feel uncomfortable with "modern" package systems
like golang's. I really want to use golang more, but I just don't feel
'secure' about building a bunch of packages pulled off of github by URL.

~~~
_eht
Third-party package management is not a modern marvel by any means. You are
unnecessarily singling out golang, and if you let that stop you from learning
it's your loss. Just be smart. Dependency awareness is not black magic.

