DEV Community

Liran Tal
Liran Tal

Posted on • Edited on • Originally published at lirantal.com

13 7

Did you hear about the malicious backdoor discovered in the popular bootstrap-sass Ruby gem?

I recently shared the outline of events and technical details behind the backdoor that was wisely hidden in the 3.2.0.3 version of bootstrap-sass, a popular ruby gem that was downloaded 28 million times since added to the repository 8 years ago.

The malicious version allowed remote attackers to dynamically execute code on servers hosting the vulnerable versions, by sending a specially crafted HTTP request that hides the payload in an innocent-looking cookie 🍪.

As there are no logs and evidence to trace back how this happened, the maintainers suspect that the gem was published using a compromised account of one of the two of them who had publish access.

We've heard stories of this happening before in the JavaScript community as well. On good example for this is the eslint-scope package.

What can we do about it?

I can't stress enough how important it is for maintainers, and developers in general to bump up their security game. I have compiled a list of 10 npm security best practices for JavaScript developers, and at the very least enabling 2FA on the RubyGems repository is a must.

If you're using Snyk, we already updated our vulnerability database to alert in-case you are using the malicious version.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more