RubyGems has temporarily suspended new account registrations after cybersecurity researchers identified a large scale malicious package upload campaign targeting the open source software repository. The incident involved hundreds of harmful packages being published to the platform, prompting an immediate response from RubyGems administrators and security partners. Visitors attempting to create new accounts on the platform are currently shown a notice stating that account registration has been temporarily disabled while mitigation efforts continue. The attack has raised fresh concerns about the security of open source software ecosystems and the growing risks associated with software supply chain attacks targeting widely used developer platforms.
The issue was first highlighted by Maciej Mensfeld, Senior Product Manager for Software Supply Chain Security at Mend.io, who stated that RubyGems was dealing with a major malicious attack involving hundreds of packages. According to Mensfeld, many of the uploaded packages specifically targeted Mend.io, while others reportedly included exploit related functionality. Mend.io, which provides security support for RubyGems, confirmed that further technical details would be released after the incident is fully contained. At the time of disclosure, the identity of the threat actors behind the campaign had not been publicly identified. The incident reflects the increasing frequency of attacks directed at software package registries, where malicious actors attempt to compromise developers and organizations by distributing harmful code through trusted software repositories used in application development environments worldwide.
Cybersecurity experts have warned that software supply chain attacks have become a major threat across open source ecosystems in recent years. Threat groups such as TeamPCP have previously compromised popular packages to distribute credential stealing malware capable of harvesting sensitive information from infected systems. Researchers from Google also recently reported that stolen credentials obtained through software supply chain compromises have increasingly been monetized through partnerships with ransomware operators and data theft extortion groups. Such attacks often rely on developers unknowingly downloading compromised packages, allowing malicious code to spread into enterprise environments, cloud infrastructure, and production systems. The latest RubyGems incident highlights the ongoing challenges facing open source maintainers and security teams as attackers continue to exploit the trust developers place in software repositories and package distribution platforms.
In a follow up update, Mensfeld stated that more than 120 malicious packages had already been removed from RubyGems and noted that the campaign directly targeted the registry infrastructure itself. Separately, Marty Haught from Ruby Central described the incident as a coordinated spam publishing campaign involving newly created accounts that uploaded junk and malicious packages to the platform. RubyGems later confirmed that the malicious activity had been stopped, the responsible bot accounts had been blocked and removed, and more than 500 malicious packages had been deleted from the registry. The platform also stated that account registrations would remain suspended temporarily while it works with Fastly to strengthen web application firewall protections and implement stricter rate limiting measures for new account creation. According to RubyGems, the additional security measures are expected to take several days to complete as efforts continue to secure the platform and reduce the risk of similar attacks targeting the software ecosystem.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
