Two malicious Ruby packages have been observed installing a clipboard hijacker that executes itself persistently on infected Windows machines. If developers integrate the malicious packages with their project, it would create a supply chain attack.

What happened?

The two malicious packages: ruby-bitcoin and pretty_color, were found masquerading as a bitcoin library and a library for showing strings with various color effects, respectively.
  • The ruby-bitcoin included an extconf[.]rb script with an obfuscated base64 encoded string. This creates a malicious VBS file and sets it up to start automatically whenever a user logs into Windows. 
  • The package pretty_color had valid files that were taken from a trusted open-source component, colorize. It was an exact copy of the benign colorize package and has all its code, including README.
  • The ruby-bitcoin package was added to RubyGems on December 7 with 81 downloads. Another one, the pretty_color package was added on December 13, having 61 downloads.

None of the cryptocurrency addresses had received any funds as both the malicious clipboard packages were removed just a day after being added to their repository.

Recent supply chain attacks

Supply chain attacks are growing because a single intrusion in a project can affect or target multiple users without any hassle. 
  • Recently, Trojanized versions of SolarWinds' Orion software were used in a massive supply chain attack across several U.S. Federal agencies.
  • In early-December, malicious NPM packages were observed to be installing the njRAT remote access trojan.


Software supply chains are expected to grow and could be exploited more by advanced threat actors in the coming time. Thus, experts suggest organizations frequently assess their supplier network, know the risks related to third-party suppliers, and implement a cybersecurity plan considering supply chain management.

Cyware Publisher