Ethical Hacking News
A recent surge in malicious activity has been detected on two prominent software repositories: RubyGems and Python Package Index (PyPI). A total of 60 malicious packages have been uncovered targeting the RubyGems ecosystem, with the activity assessed to be active since at least March 2023. The threat actor behind this campaign is believed to be using the aliases zon, nowon, kwonsoonje, and soonje, who has published these malicious gems posing as automation tools for various social media platforms. These gems not only offered the promised functionality but also harbored covert functionality to exfiltrate usernames and passwords to an external server under the threat actor's control.
The discovery of these malicious packages highlights the need for improved security measures to protect software repositories from such threats. In response, PyPI maintainers have imposed new restrictions to secure Python package installers and inspectors from confusion attacks arising from ZIP parser implementations. The new restrictions will reject Python packages "wheels" (which are nothing but ZIP archives) that attempt to exploit ZIP confusion attacks and smuggle malicious payloads past manual reviews and automated detection tools.
Stay up-to-date with the latest news on cybersecurity threats and how to protect yourself from them.
A total of 60 malicious packages have been detected on RubyGems, targeting users over 275,000 times since March 2023.The threat actor uses aliases to publish gems posing as social media automation tools, exfiltrating usernames and passwords.Grey-hat marketers are targeted by these malicious gems, used for spam, SEO, and engagement campaigns.A campaign was discovered on PyPI, stealing cryptocurrency from Bittensor wallets using typosquatting packages.New restrictions have been imposed on PyPI to secure Python package installers and inspectors.PyPI will begin rejecting wheels with non-matching ZIP contents in February 2026.
A recent surge in malicious activity has been detected on two prominent software repositories: RubyGems and Python Package Index (PyPI). According to a report from the software supply chain security company Socket, a total of 60 malicious packages have been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services. These gems have been downloaded more than 275,000 times, with the activity assessed to be active since at least March 2023.
The threat actor behind this campaign is believed to be using the aliases zon, nowon, kwonsoonje, and soonje, who has published these malicious gems posing as automation tools for various social media platforms. These gems not only offered the promised functionality but also harbored covert functionality to exfiltrate usernames and passwords to an external server under the threat actor's control by displaying a simple graphical user interface to enter users' credentials.
Some of the gems, such as njongto_duo and jongmogtolon, are notable for focusing on financial discussion platforms. These libraries were marketed as tools to flood investment-related forums with ticker mentions, stock narratives, and synthetic engagement to amplify visibility and manipulate public perception. This indicates that the target audience for these malicious gems are likely to be grey-hat marketers who rely on such tools to run spam, search engine optimization (SEO), and engagement campaigns that artificially boost engagement.
The servers that are used to receive the captured information include programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr. These domains have been found to advertise bulk messaging, phone number scraping, and automated social media tools. The campaign evolved across multiple aliases and infrastructure waves, suggesting a mature and persistent operation.
Each gem functions as a Windows-targeting infostealer, primarily (but not exclusively) aimed at South Korean users, as evidenced by Korean-language UIs and exfiltration to .kr domains. By embedding credential theft functionality within gems marketed to automation-focused grey-hat users, the threat actor covertly captures sensitive data while blending into activity that appears legitimate.
This development comes as GitLab detected multiple typosquatting packages on PyPI that are designed to steal cryptocurrency from Bittensor wallets by hijacking the legitimate staking functions. The names of the Python libraries are bitensor (versions 9.9.4 and 9.9.5), bittenso-cli, qbittensor, and bittenso.
The discovery of these malicious packages highlights the need for improved security measures to protect software repositories from such threats. It also underscores the importance of staying vigilant and monitoring for any suspicious activity on prominent software repositories.
In response to this threat, PyPI maintainers have imposed new restrictions to secure Python package installers and inspectors from confusion attacks arising from ZIP parser implementations. The new restrictions will reject Python packages "wheels" (which are nothing but ZIP archives) that attempt to exploit ZIP confusion attacks and smuggle malicious payloads past manual reviews and automated detection tools.
Furthermore, PyPI will warn users when they publish wheels whose ZIP contents don't match the included RECORD metadata file. After 6 months of warnings, on February 1st, 2026, PyPI will begin rejecting newly uploaded wheels whose ZIP contents don't match the included RECORD metadata file.
This move is seen as a step in the right direction to mitigate the risk posed by these malicious packages and ensure that software repositories remain secure.
Related Information:
https://www.ethicalhackingnews.com/articles/RubyGems-and-PyPI-Hit-by-Malicious-Packages-Stealing-Credentials-Crypto-Forcing-Security-Changes-ehn.shtml
https://thehackernews.com/2025/08/rubygems-pypi-hit-by-malicious-packages.html
Published: Fri Aug 8 07:19:25 2025 by llama3.2 3B Q4_K_M
