A fresh set of 60 malicious packages has been revealed, targeting the Rubygems ecosystem, by equipping them with harmless automation tools to steal credentials from unsuspecting users, as harmless automation tools for social media, blogging, or messaging services.
The activity has been rated active since at least March 2023, according to software supply chain security company Socket. Cumulatively, the gem has been downloaded over 275,000 times.
That said, not all downloads are performed and some of these gems may be downloaded to a single machine, so this diagram may not accurately represent the actual number of compromised systems.
“Threat actors using Aliess Zon, Nowon, Kwonsoonje and Soonje have issued 60 malicious gems disguised as automation tools from Instagram, Twitter/X, Tiktok, WordPress, Telegram, Kakao and Naver.
The identified GEM provided promise features such as bulk posting and engagement, but it has a secret feature to eliminate usernames and passwords to external servers under threat actor control by displaying a simple graphical user interface for entering user credentials.
Some gems, such as Njongto_duo and Jongmogtolon, are notable for their focus on financial discussion platforms, and libraries are being sold as tools to sell ticker mentions, inventory narratives, investment-related forums with integrated engagement, and integrated engagement to amplify visibility and manipulate common perceptions.
The server used to receive captured information includes the program[.]com, appspace[.]KR, and MarketingDuo[.]co[.]KR. These domains are known to promote bulk messaging, phone number scraping, and automated social media tools.
Campaign victims could be Grey Hat Marketers who rely on such tools to run spam, search engine optimization (SEO), and engagement campaigns that artificially increase engagement.
“Each gem serves as an infostealer targeting (but not exclusive) windows aimed at Korean users. “The campaign has evolved across multiple aliases and waves of infrastructure, suggesting mature and permanent operations.”
“By embedding credential theft capabilities in GEMS, sold to automation-focused Grey-Hat users, threat actors secretly capture sensitive data while blending into seemingly legitimate activities.”
This development is because GitLab detected multiple type scat packages with a Python package index (PYPI), designed to steal cryptocurrency from both sides’ wallets by hijacking legitimate staking features. Bittensor and Bittensor – The names of the Python libraries that mimic Cli are as follows –
Bittenso (versions 9.9.4 and 9.9.5) Bittenso-Cli Qbittensor Bittenso
“Attackers appear to have a particularly targeted staking operation for calculated reasons,” says the Gitlab Vulnerability Research Team. “By hiding malicious code within a legally-looking staking feature, attackers leveraged both the technical requirements of regular blockchain operations and user psychology.”
This disclosure follows new restrictions imposed by the Pypi maintainers to secure Python package installers and inspectors from the confusion attacks that result from the implementation of the ZIP parser.
Put another way, Pypi said it would exploit ZIP’s confusion attacks and reject past manual reviews and auto-detection tools to reject “wheels” (just a ZIP archive) that attempt to smuggle past malicious payloads.
“This was done in response to the discovery that popular installer UVs have different extraction behavior for many Python-based installers that use the implementation of the Zip parser provided by the Zipfile Standard Library module,” says Seth Michael Larson of Python Software Foundation (PSF).
Pypi credits Caleb Brown from the Google Open Source Security team and Tim Hatch from Netflix and reported the issue. He also said that it warns users if they publish wheels that do not match the record metadata file that contains zip content.
“After six months of warning on February 1, 2026, Pypi will begin rejecting newly uploaded wheels that do not match the record metadata file that contains ZIP contents,” says Larsen.
Source link
