Hundreds of Malicious Packages Force RubyGems to Suspend Registrations

Hundreds of Malicious Packages Force RubyGems to Suspend Registrations

Briefly

"New account registrations on RubyGems.org, the official Ruby gem hosting service, have been suspended after threat actors published hundreds of malicious packages. RubyGems maintainers announced on May 12 that registrations have been temporarily disabled due to a "DDoS attack". Nearly 24 hours later, registrations are still disabled and will likely remain closed for another 2-3 days until account creation rate limiting can be tightened and WAF protection is enabled."

"According to RubyGems maintainers, the service was targeted in "spam activity" that involved bot accounts pushing more than 500 junk packages, including ones carrying exploits. The malicious packages have been removed from the registry, and existing packages have not been compromised. An investigation into the incident is ongoing, but at this point it appears that end users were not targeted."

""Gem installs and pushes for existing users are unaffected," RubyGems said on its status page. Maciej Mensfeld of the RubyGems security team noted in a post on X that the attack appears to have targeted RubyGems itself, with the attackers attempting XSS attacks and data exfiltration."

""My worry with this RubyGems attack: it could be masking something more sophisticated. No proof, just a security researcher's intuition. Hope I'm wrong," Mensfeld said."