RubyGems Under Attack: 60 Malicious Packages Found Stealing Credentials from Grey-Hat Marketers
Do Son 
Socket’s Threat Research Team has revealed a long-running supply chain attack in the RubyGems ecosystem, where a single threat actor—operating under aliases including zon, nowon, kwonsoonje, and soonje—published 60 malicious gems since March 2023. These packages masqueraded as automation tools for platforms like Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver, but covertly exfiltrated user credentials to attacker-controlled infrastructure.
“These gems deliver their advertised functionality… but covertly exfiltrate credentials (usernames and passwords) to threat actor-controlled infrastructure, which classifies them as infostealer malware,” the researchers stated.
The campaign thrived by targeting a niche demographic: grey-hat marketers—operators who run spam, SEO, and synthetic engagement campaigns using disposable accounts. Because these users rarely report compromises, the malware operated for over a year without public detection.
At the time of reporting, 16 malicious gems remain live on RubyGems, while 44 earlier gems were “yanked” but remain available via cached mirrors and existing installations. Collectively, the packages have been downloaded over 275,000 times.
The malicious gems typically feature a Korean-language GUI built with Glimmer-DSL-LibUI. Users are prompted to enter platform credentials—only to have them immediately sent via HTTP POST to domains such as programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr.
Socket’s analysis of the iuz-64bit gem demonstrates the attack flow:
Key traits include:
- MAC address collection for victim fingerprinting
- Hardcoded C2 endpoints for data exfiltration
- Uniform theft logic across all malicious packages
Every interface, help text, and internal variable is written in Korean, and infrastructure is tied to .kr domains. While optimized for South Korean users, the malware is globally exploitable.
The victims’ operations often involve tools from SMM panels (smmdoge[.]com, ytmonster[.]net), SEO manipulation platforms (BacklinkMachine, SpamZilla), account marketplaces (accs-market[.]com), and OTP-bypass SMS services (smshub[.]org).
Socket notes that “by embedding credential theft functionality within gems marketed to automation-focused grey-hat users, the threat actor covertly captures sensitive data while blending into activity that appears legitimate.”
Some malicious gems, such as njongto_duo and jongmogtolon, target financial discussion forums, enabling grey-hat promoters to flood stock chatrooms with synthetic engagement—while simultaneously harvesting their credentials. This grants the threat actor access to influence campaigns and the compromised infrastructure itself.
Related Posts:
- Alert: Malicious RubyGems Impersonate Fastlane Plugins, Steal CI/CD Data
- RubyGems ActiveRecord SQL Injection Vulnerability
- RubyGems cgi gem HTTP response splitting
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
