The incident has been discovered by Cambridge-based ReversingLabs, Massachusetts two days ago. Hackers first inserted the malicious files inside a package manager called RubyGems. It is commonly used to upload and share performance and improvements on existing pieces of software. The report also highlights that the hackers tried to trick developers into download malware using typosquatting method.
The typosquatting technique is used by attackers to intentionally upload malicious packages representing misspelt legitimate packages. The unwitting developers sometimes mistype the name of these packages and install the libraries inside them.
According to ReversingLabs, the packages were uploaded to RubyGems between February 16 to 25. Most of these packages have been designed to steal funds by redirection cryptocurrency transactions to a wallet.
ReversingLabs said, “Being closely integrated with the programming languages, the repositories make it easy to consume and manage third-party components. Consequently, including another project dependency has become as easy as clicking a button or running a simple command in the developer environment. But just clicking a button or running a simple command can sometimes be a dangerous thing, as threat actors also share an interest in this convenience by compromising developer accounts or their build environments, and by typosquatting package names.”
As soon as the hackers get access to the developers machine, the malware executes the script and starts an infinite loop. The program takes hold of user’s clipboard data, which redirects all subsequent cryptocurrency transaction to the designated wallet.
Popular repositories platforms like Python Package Index (PyPi) and GitHub’s Node.js package manager nom have come up as an effective attack vector to distribute the malware. It is recommended for developers to check if they have used the correct package names.