60 Malicious Packages Found in RubyGems, Downloaded 275,000 Times

Red Dog Security

2 min read
60 Malicious Packages Found in RubyGems, Downloaded 275,000 Times

Security researchers have uncovered 60 malicious packages on RubyGems, the package manager for the Ruby programming language. Disguised as harmless automation tools for social media, blogs, and messaging platforms, the gems stole user credentials and, since March 2023, have been downloaded more than 275,000 times.

Experts at Socket, who identified the campaign, report that the packages primarily targeted users in South Korea who rely on automation tools for TikTok, X (formerly Twitter), Telegram, Naver, WordPress, Kakao, and similar platforms.

The full list of malicious packages is included in Socket’s report. Examples of the attackers’ typosquatting techniques include:

  • WordPress automation: wp_posting_duo, wp_posting_zon
  • Telegram bots: tg_send_duo, tg_send_zon
  • SEO backlink tools: backlink_zon, back_duo
  • Blog platform tools: nblog_duo, nblog_zon, tblog_duopack, tblog_zon
  • Naver Café tools: cafe_basics[_duo], cafe_buy[_duo], cafe_bey, *_blog_comment, *_cafe_comment

The malware was published on RubyGems.org under multiple publisher accounts—including zon, nowon, kwonsoonje, and soonje—making the campaign harder to track and block.

Notably, all 60 gems featured a graphical user interface that appeared legitimate and delivered the promised functionality. However, any credentials entered were quietly transmitted to hardcoded attacker-controlled servers (programzon[.]com, appspace[.]kr, marketingduo[.]co[.]kr). In some cases, the tools even displayed fake success or error messages despite performing no real logins or API requests.

Victims’ usernames, passwords, device MAC addresses (for fingerprinting), and the names of the malicious packages (for tracking campaign effectiveness) were sent in plaintext. Researchers say this stolen data has since appeared for sale on Russian-speaking darknet marketplaces.

The report warns that at least 16 of the malicious gems remain available for download, even after Socket reported all 60 to the RubyGems team.

Security experts urge developers to:

  • Inspect open-source packages for suspicious or obfuscated code.
  • Check the reputation and release history of the author.
  • Prefer widely used, verified-safe versions.

Read more