As per the latest report by the security researchers, it has been stated that more than 700 malicious Gems were uploaded by the hackers to RubyGems Repository. However, the researchers wanted to check the practice of package typosquatting is going on, and how popular does it go.

Thus during the analysis, they discovered that all carried a feasible file that carries the same filename and the PNG expansion; well, they thought that it was used to masquerade the feasible as an image file.  However, the file was also established on the corresponding path, just like in every single gem.

Moreover, these packages also carried a type of file that is a gemspec file that comprises necessary metadata regarding the gem. Not only this, but it also holds various data regarding extensions as well.

Well, all these data operate an extension that restrains the target platform, and in case if it’s Windows, then it renames the PNG file within an EXE file and administers it.

Typosquatting RubyGems to Steal Cryptocurrency

Typosquatting is a type of brandjacking attack that relies on users by putting themselves in harm’s way by providing a mistyping web address or a library name that represents successful and attractive packages in software records.

Well, most of the people know very well about the RubyGems, as, it is a famous and successful package manager which simply makes it easier for every developer to administer, maintain, and install Ruby programs and libraries.

Well, by using this type of attack, the hackers want to purposely name ill-disposed packages to match the successful ones very firmly, for example, RSpec-mocks rather then RSpec_mocks, as this gives them hopes that an inexperienced user will somehow mistype the name and accidentally install the ill-disposed package.


Thus, after examining the attacks of RubyGems, it was disclosed that all the gems that are started from two different user accounts – “Jim Carrey” and “PeterGibbons.” That has a reasonably high number of downloads. However, according to the reports, it looks like they have been caught, as the account of “PeterGibbons” was actively continuing new typosquatting gems during the analysis.

Moreover, it was declared that the developers who downloaded the libraries unintentionally into their projects must examine to detect if they’ve applied the exact package names and did not inadvertently used the typosquatting versions.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.