I recently shared the outline of events and technical details behind the backdoor that was wisely hidden in the 184.108.40.206 version of bootstrap-sass, a popular ruby gem that was downloaded 28 million times since added to the repository 8 years ago.
The malicious version allowed remote attackers to dynamically execute code on servers hosting the vulnerable versions, by sending a specially crafted HTTP request that hides the payload in an innocent-looking cookie 🍪.
As there are no logs and evidence to trace back how this happened, the maintainers suspect that the gem was published using a compromised account of one of the two of them who had publish access.
What can we do about it?
If you’re using Snyk, we already updated our vulnerability database to alert in-case you are using the malicious version.