Two Rubygems Infected with Crypto-Theft Feature Malware seen by Researchers

New infected Rubygems packages were spotted in its open source software store and contained malicious code used primarily to steal cryptocurrencies from consumers through a supply chain attack.

Two Rubygem Cryptocurrency Stealers Found by Researchers at Sonatype

According to Ax Sharma, a security researcher at Sonatype, the two pearls found – pretty_color and ruby-bitcoin – had malware that used the attack on Windows machines and replaced any bitcoin wallet (BTC), ethereum (ETH), or monero ( XMR) addresses found on the victim’s clipboard from those of the attackers.

Rubygems is a package manager for the Ruby programming language that allows developers to integrate code developed by others. Anyone can upload a “game” to the repository, in some way opening the doors for threat actors to upload their malicious packages.

The investigator further explained how the attack operates:

This means that if a user who had installed either of these games was mistaken to copy-paste a bitcoin recipient wallet address somewhere on its system, the address would be replaced with the attacker’s address , which would now receive the bitcoins.

During an analysis conducted by the Sonatype Security Research team, it was found that unless the victim double-checks the wallet’s address after they have shipped it, the clipboard hijacker used during the supply chain attack will quietly change direction by creating separate malicious scripts contained in VBS Files.

Supply Chain Attacks: A Growing Concern

Sharma also warned of the growing trend of supply chain attacks so far in 2020, calling it a “bigger concern.”

According to Sonatype’s 2020 Software Supply Chain report, upstream software supply chain attacks have increased by 430% over the past year, making it “virtually impossible” to track and monitor components of such by hand.

Sharma Sonatype adds:

Of all the activities a ransomware group can carry out on a threatened system, replacing a bitcoin wallet address on the clipboard feels more like a trivial evil by an amateur threat actor than a sophisticated ransomware operation. However, this coincidence raises more concern, considering how there have been rampant attacks on the software supply chain in 2020.

Will we see a leading role in crypto-related supply chain attacks in 2021? Let us know in the comments section below.

Tags in this story

crypto wallet, cryptocurrency security, cryptocurrency wallet, cybersecurity, hijacking, Protection, Security, security analysis, security breach, Supply Chain, wallet address

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, nor a recommendation or endorsement of any products, services or companies. does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use or reliance on any content, goods or services mentioned in this article.