RubyGems, the package manager for Ruby, has temporarily suspended the registration of new users after detecting hundreds of malicious gems in its repository. The measure aims to curb actors distributing harmful software. Existing developers can still publish and update gems, protecting the integrity of the ecosystem while new accounts are reviewed.
How the suspension affects the Ruby workflow 🛑
The pause in registrations means that any developer without a prior account will not be able to upload packages until further notice. This impacts new projects or external contributions that depend on publishing gems from scratch. However, updates and patches for existing accounts remain active, allowing critical libraries to be maintained. RubyGems recommends using secure API keys and reviewing dependencies, while implementing additional filters against malicious code.
The cybercriminal who ran out of new accounts 😈
Just when the bad guys had perfected their technique of packaging trojans with popular gem names, RubyGems slams the door in their faces. Now they'll have to settle for stealing old accounts or writing legitimate code like everyone else. Too bad their plan to dominate the world through gem install has been put on hold. At least honest developers can breathe without their bundle update being a game of Russian roulette.