Typosquatting technique malware on RubyGems

April 24, 2020
rubygems typosquatting malware antimalware financial malware trojan antitrojan

RubyGems have discovered a new threat between February 16 to 25 of this year. As one of the known repositories of open source code for developers. The company announced that they were able to extract 700 malicious or rude codes as part of their malware detection program. The code, once included on a software package, will automatically compromise the computer or security software that the certain developer used and later, implementation of the developed application onto the system.

Fortunately, its search for malware on the repositories leads to mitigate the risk being used for malicious or fraudulent acts of cyberattackers. They confirmed that the leveraged they used is called Typosquatting Technique. The said process was to input intentionally misspelled legitimate packages onto the source code from which developers include on the software they are creating. Assuming the package succeeds infecting the machine. The malicious code will inject the hidden source code waiting to be triggered by the set qualifier of the attacker.


In-depth investigation of RubyGems maintainers verified that the compromised codes on the repositories hid its code as a legitimate package targeting developers using Windows System.


Which also happened to use the Bitcoin program. Once the victim performs a Bitcoin transaction on the infected computer, this will trigger the code to redirect the operation to the attacker’s Bitcoin wallet rudely. Thus, losing the sensitive information and money because of this attack. Observing another behavior of the code is once triggered, it will now automatically run on the system process even after a reboot. It will just wait again for the next Bitcoin transaction of the victim.

With this prompt action of RubyGems, they were able to narrow down the compromised package on their repository. They were traced to two account holders, “JimCarrey” and “PeterGibbons,” with “atlas-client” as the typo squatted library package. Luckily, these were removed almost two days after its discovery on February 27.

Other repositories such as Python Package Index (PyPi) and GitHub-owned Node.js package manager npm have now been tagged as malware distributors by many developers. The publishing of this document was to give warnings to all developers to be more careful and scrutinize the packages or codes properly, which they will include on their project. The aim is to avoid unintended installation of the malware trojan programs to all the systems that their projects will apply. The precautions were necessary as the report for this type of misdemeanor is rapidly rising.

About the author

Leave a Reply