New malicious RubyGem packages have been discovered that are being used to steal cryptocurrency from unsuspecting users. RubyGems is a package manager for the Ruby programming language that allows developers to download and integrate other developers’ code. As any developer can upload packages to the RubyGems repository, it allows criminals to upload malicious packages to the repository in hopes that another developer will use it in their code. This allows the attacker to infect various amounts of code and if a large project uses the malicious package, it could create a supply chain attack with a wide distribution. Open-source security firm Sonatype reported two malicious packages that install a clipboard hijacker. The malicious packages pretend to be a bitcoin library and a library for displaying strings with different color effects. The clipboard hijacker monitors the infected system for the Windows clipboard for cryptocurrency address, if one is detected, it replaces it with an address under the attacker’s control. Unless the user double-checks the wallet address, any transactions will be sent to the attack’s wallet. The names of the malicious packages are ‘pretty_color-0.8.1gem’ and ‘ruby-bitcoin-0.0.20.gem’ and the attacker’s wallet addresses are:

Bitcoin: bc1qgmem0e4mjejg4lpp03tzlmhfpj580wv5hhkf3p, Ethereum: 0xcB56f3793cA713813f6f4909D7ad2a6EEe41eF5e, Monero: 467FN8ns2MRYfLVEuyiMUKisvjz7zYaS9PkJVXVCMSwq37NeesHJpkfG44mxEFHu8Nd9VDtcVy4kM9iVD7so87CAH2iteLg