In early 2023, cybersecurity researchers identified a sophisticated supply chain attack targeting the RubyGems ecosystem. Threat actors, operating under aliases such as zon, nowon, kwonsoonje, and soonje, have published over 60 malicious gems. These packages masquerade as legitimate automation tools for platforms like Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver, while covertly harvesting user credentials.
Scope and Impact
The malicious gems have been downloaded more than 275,000 times, indicating a significant reach. However, this figure may not accurately represent the number of compromised systems, as not every download results in execution, and multiple downloads can occur on a single machine. The primary targets appear to be grey-hat marketers who utilize such tools for spam, search engine optimization (SEO), and engagement campaigns. These individuals often rely on disposable accounts, making them less likely to report breaches, thereby allowing the malicious activity to persist undetected.
Infection Mechanism
Each malicious gem incorporates a lightweight graphical user interface (GUI) built with Glimmer-DSL-LibUI, presented in Korean to appeal to South Korean users. Upon execution, the GUI prompts users to enter their credentials under the guise of legitimate login for automation services. Instead of forwarding these details to official APIs, the gems immediately exfiltrate credentials and host MAC addresses to attacker-controlled servers via HTTP POST requests. The domains programzon[.]com, appspace[.]kr, marketingduo[.]co[.]kr, and seven1.iwinv[.]net host PHP bulletin board endpoints that silently accept the stolen data.
Persistent Threat
The campaign demonstrates a sophisticated supply chain compromise. Gems published under the zon alias are often yanked—removed from RubyGems—within days, only to be mirrored in continuous integration caches and redistributed under new names by the same actor. Despite periodic infrastructure shifts, the core credential-stealing routine remains unchanged, enabling persistent fingerprinting of infected hosts. This approach leverages grey-hat marketers’ reliance on disposable accounts; victims rarely report breaches, opting instead to abandon compromised identities and continue operations without suspicion.
Broader Context
This incident is part of a larger trend of supply chain attacks targeting open-source ecosystems. For instance, in June 2025, two malicious RubyGems packages posing as Fastlane CI/CD plugins were discovered. These packages redirected Telegram API requests to attacker-controlled servers to intercept and steal data. Similarly, in May 2022, a critical vulnerability in RubyGems allowed unauthorized package takeover, enabling attackers to unpublish and republish gems with malicious content. These incidents underscore the growing sophistication of supply chain attacks and the need for enhanced vigilance within the developer community.
Mitigation Measures
To protect against such threats, developers and organizations should implement the following measures:
1. Verify Package Authenticity: Before integrating any package, verify its authenticity by checking the publisher’s credentials, reading user reviews, and examining the package’s codebase.
2. Monitor Dependencies: Regularly audit and monitor dependencies for any signs of malicious activity or unauthorized changes.
3. Implement Least Privilege Principle: Limit the permissions granted to third-party packages to the minimum necessary for their functionality.
4. Stay Informed: Keep abreast of the latest security advisories and updates related to the packages and tools in use.
5. Educate Teams: Provide training to development teams on the risks associated with supply chain attacks and best practices for mitigating them.
By adopting these measures, developers can reduce the risk of falling victim to supply chain attacks and protect sensitive user data from being compromised.
