- Sixty malicious software packages targeted the RubyGems platform by disguising as automation tools for social media and messaging.
- The compromised packages have been available since at least March 2023 and were downloaded over 275,000 times, according to Socket.
- Attackers used these tools to steal user credentials, especially focusing on Windows users in South Korea.
- The Python Package Index (PyPI) was also found to contain fake packages designed to steal cryptocurrency from Bittensor wallets.
- In response to these attacks, PyPI announced new measures to prevent confusion attacks and will soon reject certain malicious package uploads.
A group of 60 harmful software packages was uncovered on the RubyGems platform, posing as legitimate automation tools for websites like Instagram, Twitter, TikTok, and Telegram. These tools, active since at least March 2023, were published under several different aliases and aimed to steal user credentials.
The packages have been downloaded more than 275,000 times, though this number does not represent confirmed infections. Some downloads occurred on the same computers or did not result in the software being run. Socket, the company that identified the activity, stated that the packages offered real functionalities but also secretly gathered usernames and passwords through simple user interfaces.
According to researcher Kirill Boychenko, the attackers pretended to offer features like bulk posting or engagement but tricked users into giving up sensitive information. “Each gem functions as a Windows-targeting infostealer, primarily (but not exclusively) aimed at South Korean users, as evidenced by Korean-language UIs and exfiltration to .kr domains,” Socket explained. Attackers sent stolen data to servers advertising bulk social media tools, such as programzon[.]com and appspace[.]kr.
Some of these malicious tools also targeted finance-focused forums, promoting features like flooding investment discussions to manipulate stock visibility and public perception. The main victims appear to be individuals using automation tools for marketing or engagement campaigns.
Separately, GitLab identified several fake Python packages in PyPI that imitated popular Bittensor libraries. These packages contained code designed to steal cryptocurrency by hijacking staking functions. “By hiding malicious code within legitimate-looking staking functionality, the attackers exploited both the technical requirements and user psychology of routine blockchain operations,” GitLab‘s Vulnerability Research team stated.
In response to these incidents, PyPI announced that it will increase security by rejecting package uploads that could be used for so-called “ZIP confusion attacks.” This change is part of a broader effort to stop the spread of malicious software through third-party code libraries. PyPI will begin rejecting packages with mismatched ZIP archive contents starting February 1, 2026, following a six-month warning period.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Standard Chartered, Animoca JV Apply for Hong Kong Stablecoin License
- GreedyBear Malware Uses Fake Firefox Wallet Extensions to Steal $1M
- Ripple XRP Soars 11% as SEC Case Ends, Trump 401k Order Lifts Hopes
- Trump Executive Order Opens 401(k) Accounts to Cryptocurrency Investments
- Block Adds 108 BTC in Q2, Bitcoin Holdings Now Worth $1.15B
