Programmer Discovers Cryptojacking Malware on GitHub

Juskoljo, a GitHub user who has eight repositories on the platform, has discovered malicious cryptojacking malware in 11 code libraries for the Ruby programming language. The libraries containing the deadly malware have reportedly been downloaded nearly four thousand times, according to reports on August 21, 2019.

Cryptojacking Malware in RubyGems

Per sources close to the matter, hackers have managed to inject malicious cryptojacking malware into the Ruby programming language on GitHub, a code repository for software developers.

For those who are unaware, cryptojacking is the process of remotely mining cryptocurrency with the computer resources of a person without their consent.

Though cryptojacking attacks are often orchestrated by hackers with the sole aim of mining cryptos, the activity is very dangerous, since it is capable of crashing the hard disk of the victim.

Specifically, the attackers were said to have injected the code into a package manager called RubyGems.

For the uninitiated, RubyGems is the hosting service of the Ruby community. It enables developers to instantly publish and share their software or make improvements to existing programs.

The hackers reportedly downloaded the software contained in 11 popular libraries on RubyGems, integrated their malicious malware into them and re-uploaded the software into RubyGems under new names. The RubyGems team declared:

“Attackers published a series of rest-client versions from 1.6 10 to 1.6.13 using the login details of a rest-client maintainer whose RubyGems.org account was compromised. The affected versions downloaded approximately 1000 times.“

The Libraries

Five of the eleven libraries infected by the malware were all crypto-related, bearing names like doge_coin, coin_base, and blockchain_wallet.

Out of the five infected crypto-related libraries, the coin_base and blockchain_wallet got the most downloads. Coin_base was downloaded 424 times, while blockchain_wallet was downloaded 423 times since July 10, 2019, when the hackers first uploaded the malicious versions.

The RubyGems security team says the malicious gem versions have been deleted and it has now replaced them with new software.

The team has also promised to implement security measures that would prevent such attacks from occurring in the future.

“We will establish security practices that we expect maintainers to adhere to, including enabling two-factor authentication on their RubyGems.org accounts,” said the RubyGems team.

In related news, BTCManager informed on August 15, 2019, that researchers at Varonis data security company had discovered a new strain of cryptojacking malware that specializes in mining monero (XMR).