ZDNet is reporting that a specific version of the popular Ruby library bootstrap-sass has a backdoor that allows remote code execution. The library bootstrap-sass is a way to use the popular Bootstrap CSS framework with Ruby.
The infected code was found on RubyGems but not on GitHub where the source code for bootstrap-sass is managed.
This shows the importance of having signed keys and good security practices for free/open source projects. With Git and GitHub, developers can sign commits with a key to ensure only trusted developers are able to commit code to a project. This is very important for companies that are releasing open source. There is no need to harm your brand and reputation through the potential of a hacked developer account being used to commit backdoor code.
According to Snyk, a cybersecurity firm, around 1600 other code repositories may have been affected. Thankfully, this particular version of the backdoor code in bootstrap-sass has been downloaded 1477 times and was rapidly fixed.
This code, when embedded inside a Ruby or Ruby on Rails (popular Ruby framework), would load a cookie file and execute its content, according to a member of cyber-security firm Bad Packets, who confirmed the malicious nature of the library update for ZDNet.
The backdoor was removed from RubyGems on the same day it was reported. The Bootstrap-Sass team also revoked access to RubyGems for the developer whose account they believed was compromised and used to push the malicious code.