Backdoor code found in popular Bootstrap-Sass Ruby library



Backdoor code was found added in a popular Ruby library used for frontend user interfaces inside Ruby and Ruby on Rails applications. The malicious code was removed via a library update.

The library affected by this incident is Bootstrap-Sass, a Ruby package that provides developers with a Sass-version of Bootstrap, the most popular UI framework for developers today.

The backdoor’s existence came to light on March 27, last week, when software developer Derek Barnes spotted that someone had removed a version of the library (Bootstrap-Sass v3.2.0.2) and immediately released a new version, moments later, v3.2.0.3.

What drew Barnes attention to this version was the fact that the change had only been made on RubyGems, a popular repository for Ruby libraries, but not on GitHub, where the library’s source code was being managed.

Read more…