Crypto mining and cookie/password stealing malware in RubyGems

[lingfennan]

Hi RubyGems maintainers,

I found the author shaggy has uploaded 23 malicious packages. Please remove this author and all his packages!

These packages are mainly two categories: crypto mining (e.g. aloha_analyser, get-text) and cookie/password stealing (e.g. chrome_taker, color_hacker). The crypto mining ones contain the same payload as /tmp/rc9 in the report.

https://rubygems.org/profiles/shaggy
https://b4d.sablun.org/blog/2019-04-19-ignoring-atlassian-confluence-security-advisories/

[sonalkr132]

Hi, thank you for reporting this. Gems have been yanked and we have blocked the handle.

[kpshek]

@sonalkr132 - Do you have a list of all of the affected gems that were yanked? I know your wiki page has a running list of gems that were yanked, but the entry for this instance just states that "All gems where shaggy is the owner". I'd like to know the exact gems that were yanked so I can ensure my company's internal RubyGems cache also has these malicious gems pulled.

[lingfennan]

@kpshek The full list of the packages from shaggy are listed below:
chrome_taker, color_hacker, aloha_analyser, get-text, ruby_nmap, get-texts, colourize, colourful, TacoBell, unix_crypt, colour-lib, colour_lib, json_colour, unixCrypt, auto-cron, json-colour, CopyIp, colour_cat, colour-generator, phantom-proxy, colour_adjuster, colour_parser, btc-ruby.