rest-client gem backdoor stole credentials

rest-client was an old, widely used Ruby HTTP client. In August 2019, attackers used a compromised RubyGems maintainer account to publish malicious releases in the 1.6 line, a branch old enough to avoid immediate attention but still present in real applications.

The weak point was ordinary password reuse. Sonatype cited the project thread: the maintainer had not logged into RubyGems in years, and the account password had appeared in an older breach. The attacker did not need the GitHub repository; registry publishing rights were enough.

The backdoor activated in Rails production environments. It fetched Ruby code from Pastebin, executed it, and sent host URLs and environment variables to attacker infrastructure. Sonatype's summary also noted a cookie-triggered path that could evaluate attacker-supplied Ruby code and expose authentication data in affected applications.

RubyGems yanked the malicious releases, locked the compromised account, and the project released 1.6.14 to supersede the poisoned 1.6.x builds. The attack was small in downloads, roughly one thousand by the project thread, but large in lesson: a stale dependency line is not inert if it still resolves from the registry.

Motive

Financial Gain

Attribution

Person

Cause

Compromised Account Credentials

Transitive

No

Actor

Individual Hacker

User Impact

1000

• Anatomy of the RubyGems 'rest-client' Hacksonatype.com
• Version 1.6.13 published with malicious backdoorgithub.com
• Code execution back door found in Ruby's rest-client librarysnyk.io
• Backdoored Ruby gems stole credentials, injected cryptomining codehelpnetsecurity.com