Malicious 'strong_password' Gem Version 0.0.7 Poses Major Security Threat to RubyGems Users
A malicious version of the 'strong_password' gem, version 0.0.7, was published without authorisation, posing a significant security threat to RubyGems users. The compromised gem contains malicious code that executes remote payloads, potentially compromising applications that use or bundle it.
The malicious version 0.0.7 of 'strong_password' was published by Dan Crosta before ownership rights were transferred to Brian McManus. The gem, when used, fetches and evaluates a code payload from a remote server, leading to remote code execution in affected applications (CVE-2019-13354).
The breach was discovered in April 2023 when a developer's build failed due to a bootstrap-sass vulnerability. Upon investigation, it was found that the 'strong_password' gem was inherently malicious, and any host that downloaded and ran it should be considered compromised.
This is not the first time the 'strong_password' gem has been compromised. In November 2018, an event-stream, flatmap-stream hack allowed a hacker to steal cryptocurrency by compromising the gem and its dependencies, even locking out the gem maintainer.
Users and maintainers of RubyGems are urged to remove version 0.0.7 of the 'strong_password' gem from their systems immediately. Sonatype Nexus Repository customers were notified of the breach within hours of its discovery. Further investigation is needed to understand the full extent of the compromise and to prevent similar incidents in the future.
Read also:
- Belarus Launches First Accredited Cybersecurity Center
- Bridge the IT-Security Divide with Qualys VMDR for ITSM: A New Application to Streamline Your IT and Security Operations
- Italy passes AI legislation addressing privacy concerns, supervision, and kid-safe access
- East Asian countries should be cautious, as scamming operations are moving towards the region - it's high time we stay vigilant. - Phar Kim Beng
