Backdoor Code Found in Popular Bootstrap-Sass Ruby Library (Apr 5, 2019)
Software developer, Derek Barnes, discovered a backdoor in the Ruby programming language library, “Bootstrap-Sass.” Barnes noticed the issue when someone removed a version of the library (126.96.36.199) and replaced it with a new version (188.8.131.52) on the Ruby library repository “RubyGems” but not on GitHub. Barnes noticed some embedded code inside Ruby, and the “Ruby on Rails” framework, would load a cookie file and execute its content, and this functionality was confirmed by a security researcher from Bad Packets. On April 4, 2019, Ruby version 184.108.40.206 was released on RubyGems and on GitHub.
Recommendation: Thankfully, researchers believe that the affected library, Bootstrap-Sass v3.4.1, was not widely used by developers but risk does reside in applications that may be using the library. Downloads for the backdoored versions is estimated to be approximately 1,477, as of this writing. Administrators, developers, and users should have been prompted via an update to download the new version and should do so as soon as possible to avoid potential malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.