Malicious version 126.96.36.199 has been replaced – update now
A malicious version of a popular Ruby library allowed remote code execution (RCE) after a developer’s account is believed to have been hijacked.
The backdoor was found in Bootstrap-Sass, a frontend user interface framework for Ruby and Ruby on Rails.
Software developer Derek Barnes came across the malicious code when he noticed version 188.8.131.52 – which isn’t believed to have been malicious – was removed from the RubyGems depository and swiftly replaced with version 184.108.40.206.
Taking a deeper dive into the later version, which had been updated on RubyGems but not on the official GitHub repository, Barnes became suspicious and alerted the maintainers of the open source library software.
Sure enough, problems that allowed miscreants to plant a backdoor on vulnerable systems were subsequently identified.
The backdoor was found hiding in a new file, <code>lib/active-controller/middleware.rb</code>.
To date, the Bootstrap-Sass library has been downloaded more than 28 million times, though only a tiny fraction – 1,470 users – installed the malicious version.
According to open source vulnerability monitoring service Snyk, which has detailed the timeline of events in this blog post, the problem arose after credentials of one of the maintainers were compromised.
This allegedly allowed the malicious version to be uploaded – though this claim hasn’t been confirmed.
An hour after Barnes raised the issue, version 220.127.116.11 was removed and the maintainers all updated their passwords.
A new version – 18.104.22.168 – has now been released, which is identical to 22.214.171.124. Bootstrap-Sass users are urged to update as soon as possible to this version of the software.