wow that sucks.
Undid the trailing ellipsis in the title so people could know the vulnerable package without clicking through…
The backdoor was wisely hidden in the 22.214.171.124 version that was only published to RubyGems and no source of the malicious version existed on the GitHub repository and allowed remote attackers to dynamically execute code on servers hosting the vulnerable versions.
So, uh, this single line completely undermines the use of these repos, ne?
I think of it practically, I’d much rather pin something to a repo than a keyword.
gem install https://allthe.codes/interi/lib is better than
gem install interi.
I’ve always done this and got made fun of a couple of times when sharing code, but I personally want to know where my code is coming from, and I didn’t understand how these repos are accountable. I still believe I’m just acting out my paranoid delusions, so you know how surprised I am to read that.
bootstrap-sasspackage is very popular and the malicious backdoor potentially affects a large set of users. The package’s GitHub repository has been starred more than 12,000 times, and features over 27 million downloads in total. The current version, 3.4.1, has over 217,000 downloads.
A quick analysis shows roughly 1,670 GitHub repositories that may have been exposed to the malicious library through direct use. This number will increase significantly when counting its usage in applications as a transitive dependency.
On March 26th, version 126.96.36.199 was published by malicious actors. The version includes hides a backdoor in a new file,
lib/active-controller/middleware.rb. The backdoor taps into another Ruby module and modifies it so that specific cookies that are sent by the client will be Base64 decoded and then evaluated in runtime, to effectively allow remote code execution.
Oh, that’s hot! What a mindfuck, huh?
- Hands cookies over.
Wow they caught it pretty quickly. This appears to be the rca https://github.com/twbs/bootstrap-sass/issues/1195#issuecomment-479884504