https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-theft-campaign
Security researchers at Socket have uncovered a supply chain attack involving 60 malicious Ruby gems that have been downloaded over 275,000 times since March 2023, primarily targeting South Korean developers using automation tools for popular platforms including Instagram, TikTok, Twitter, Telegram, and WordPress. The malicious packages were distributed through RubyGems.org under multiple aliases including zon, nowon, kwonsoonje, and soonje, with attackers spreading their activity across different accounts to evade detection and complicate blocking efforts.
The deceptively named packages included WordPress automation tools like wp_posting_duo and wp_posting_zon, Telegram bot utilities such as tg_send_duo and tg_send_zon, and various SEO and blogging platform mimics designed to appear legitimate to unsuspecting developers. While each gem presented a functional graphical user interface and delivered some advertised functionality, they secretly operated as sophisticated phishing tools that harvested user credentials entered into login forms and transmitted them to hardcoded command-and-control servers at programzon.com, appspace.kr, and marketingduo.co.kr. The stolen data included plaintext usernames and passwords, device MAC addresses for fingerprinting purposes, and package names for campaign performance tracking.
The credential harvesting operation has proven highly effective, with Socket researchers discovering logs from the campaign being sold on Russian-speaking darknet markets, confirming the malicious intent and commercial exploitation of the stolen data. Despite the discovery and reporting of all 60 malicious gems to the RubyGems team, at least 16 packages remained available at the time of the report, highlighting ongoing vulnerabilities in open-source package repositories. This incident represents part of a broader pattern of supply chain attacks targeting Ruby developers, following similar campaigns discovered in June 2025 that involved malicious gems typosquatting legitimate tools like Fastlane to target Telegram bot developers, underscoring the critical need for enhanced security measures and vigilance when incorporating third-party libraries into development workflows.