A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users.
The activity is assessed to be active since at least March 2023, according to the software supply chain security company Socket. Cumulatively, the gems have been downloaded more than 275,000 times.
That said, it bears noting that the figure may not accurately represent the actual number of compromised systems, as not every download results in execution, and it's possible several of these gems have been downloaded to a single machine.
"Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious g