Malicious RubyGems packages targeting social media credentials

Socket’s Threat Research Team has uncovered a persistent campaign involving over 60 malicious RubyGems packages posing as automation tools for platforms like Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver.

Malicious RubyGems packages targeting social media credentialsMalicious RubyGems packages targeting social media credentials

Active since at least March 2023, the threat actor, using aliases such as zon, nowon, kwonsoonje, and soonje, has deployed these packages to offer legitimate functionalities like bulk posting while secretly exfiltrating user credentials and system identifiers. Classified as infostealer malware, these packages primarily target Windows users, particularly in South Korea, as indicated by Korean-language interfaces and exfiltration to .kr domains.

Malicious RubyGems packages targeting social media credentialsMalicious RubyGems packages targeting social media credentials

Long-Running Supply Chain Attack With over 275,000 downloads, the gems do not directly correlate to that many compromises, as multiple installations can occur on single systems. Socket has alerted the RubyGems security team to remove 16 active gems under the nowon, kwonsoonje, and soonje aliases, while 44 under zon were self-removed by the actor but remain in caches.