The rest-client gem 1.6.10 up to and including 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions <=1.6.9 and >=1.6.14 are unaffected.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
rest-client project rest-client |
Developer account cracked due to credential reuse, source tampered with and released to hundreds of programmers Malicious code ousted from PureScript's npm installer – but who put it there in the first place?
An old version of a Ruby software package called rest-client that was modified and released about a week ago has been removed from the Ruby Gems repository – because it was found to be deliberately leaking victims' credentials to a remote server. Jussi Koljonen, a developer with Visma in Helsinki, Finland, discovered the hacked code in rest-client v1.6.13, and opened an issue to discuss the matter on the GitHub repo for the software. The gem, originally intended to help Ruby developers send RE...