rest-client - isotope¹³

Incident Summary

rest-client gem backdoor steals credentials.

A maintainer's RubyGems.org account was compromised through password reuse, allowing attackers to publish malicious versions of the rest-client gem. The backdoor exfiltrated environment variables and accepted remote commands, turning a familiar HTTP client into a small control plane inside Ruby applications.

Date: 2019-08-14 to 2019-08-19
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Data Exfiltration
Cause: Compromised Account/Credentials

What Was Affected

Package rest-client

Languageruby

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain rubygems.org

Repository github.com/rest-client/rest-client

Compromised Versions

Incident Context

Motive: Financial Gain
Attribution: Individual Hacker
Transitive: No
User Impact: 2450
Observed Duration: 5 days

Evidence

Compromised Artifacts

Current Artifacts and Analysis

Indicators and Changes

Hashes

sha256:9900a959f1ebf2a27e45f5a9ebff2440edc7a91181e4aae2d3c89dd03dca3dfe
sha256:cca62351eceaebe5ba440a8fc00a3170a58e0af67a755d2bce743c11a2b1437e

External References

helpnetsecurity.com/2019/08/21/backdoored-ruby-gems

Source Data

Source record: oss/rest-client/meta.yaml