Ruby Tuesday… Is rest-client 1.6.13 hacked?

Reality update: Warning! is rest-client 1.6.13 hijacked? · Issue #713 · rest-client/rest-client · GitHub … :
Wow. I guess I’d call that a #rubytuesday

“JanDintel commented Aug 20, 2019: 

In case people need to write a detailed security report at their company. This might help you.

Security threat consisted out of the following:

* It sent the URL of the infected host to the attacker.

* It sent the environment variables of the infected host to the attacker. Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider.

* It allowed to eval Ruby code on the infected host. Attacker needed to send a signed (using the attacker’s own key) cookie with the Ruby code to run.

* It overloaded the #authenticate method on the Identity class. Every time the method gets called it will send the email/password to the attacker. However I’m unsure which libraries use the Identity class though, maybe someone else knows?”

(Thanks to Fefe, once again!)