BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

60 Malicious Packages Target RubyGems, PyPI in Credential Theft Campaign

Malicious RubyGems and PyPI Packages Exploit Social Media and Crypto Users, Prompting New Security Measures

  • Sixty malicious software packages targeted the RubyGems platform by disguising as automation tools for social media and messaging.
  • The compromised packages have been available since at least March 2023 and were downloaded over 275,000 times, according to Socket.
  • Attackers used these tools to steal user credentials, especially focusing on Windows users in South Korea.
  • The Python Package Index (PyPI) was also found to contain fake packages designed to steal cryptocurrency from Bittensor wallets.
  • In response to these attacks, PyPI announced new measures to prevent confusion attacks and will soon reject certain malicious package uploads.

A group of 60 harmful software packages was uncovered on the RubyGems platform, posing as legitimate automation tools for websites like Instagram, Twitter, TikTok, and Telegram. These tools, active since at least March 2023, were published under several different aliases and aimed to steal user credentials.

- Advertisement -

The packages have been downloaded more than 275,000 times, though this number does not represent confirmed infections. Some downloads occurred on the same computers or did not result in the software being run. Socket, the company that identified the activity, stated that the packages offered real functionalities but also secretly gathered usernames and passwords through simple user interfaces.

According to researcher Kirill Boychenko, the attackers pretended to offer features like bulk posting or engagement but tricked users into giving up sensitive information. “Each gem functions as a Windows-targeting infostealer, primarily (but not exclusively) aimed at South Korean users, as evidenced by Korean-language UIs and exfiltration to .kr domains,” Socket explained. Attackers sent stolen data to servers advertising bulk social media tools, such as programzon[.]com and appspace[.]kr.

Some of these malicious tools also targeted finance-focused forums, promoting features like flooding investment discussions to manipulate stock visibility and public perception. The main victims appear to be individuals using automation tools for marketing or engagement campaigns.

Separately, GitLab identified several fake Python packages in PyPI that imitated popular Bittensor libraries. These packages contained code designed to steal cryptocurrency by hijacking staking functions. “By hiding malicious code within legitimate-looking staking functionality, the attackers exploited both the technical requirements and user psychology of routine blockchain operations,” GitLab‘s Vulnerability Research team stated.

- Advertisement -

In response to these incidents, PyPI announced that it will increase security by rejecting package uploads that could be used for so-called “ZIP confusion attacks.” This change is part of a broader effort to stop the spread of malicious software through third-party code libraries. PyPI will begin rejecting packages with mismatched ZIP archive contents starting February 1, 2026, following a six-month warning period.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

North Korean PolinRider Hackers Publish 108 Malicious Packages

North Korean-linked threat actors, known as Contagious Interview, have expanded their PolinRider supply-chain campaign...

FatFs Flaws Let Malicious Media Hijack Millions of Devices

Seven vulnerabilities (CVE-2026-6682 to CVE-2026- 6688) were found in the widely used FatFs filesystem library,...

Saylor Rage-Quits Channel 4 Over Bitcoin Grilling

Michael Saylor ended a Channel 4 interview by accusing the reporter of being offensive...

Linux ‘Bad Epoll’ Bug Grants Any User Root Access

A critical Linux kernel flaw, Bad Epoll (CVE-2026-46242), allows a standard user to gain...

Crypto Bill Fails to Meet White House July 4 Deadline

The White House will miss its July 4 deadline for passing a cryptocurrency market...

Must Read

5 Best Crypto Jobs Sites To Land Your Next Six Figure Job

The cryptocurrency and blockchain job market has exploded. With new blockchain start-ups and projects being founded at a blistering pace, the demand for workers...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading