RubyGems Suspends New Signups After Coordinated Attack Uploads Over 500 Malicious Packages
RubyGems has temporarily paused new account registrations after a coordinated attack uploaded more than 500 malicious packages to the Ruby package registry, prompting an emergency response from Mend.io and Ruby Central.
RubyGems, the standard package manager for the Ruby programming language, has temporarily suspended new account signups following what security firm Mend.io described as a 'major malicious attack.' The incident, which unfolded on May 12, 2026, saw over 500 malicious packages uploaded to the registry in a coordinated spam-publishing campaign. Mend.io senior product manager Maciej Mensfeld confirmed the attack on social media, stating that hundreds of packages were involved, some carrying exploits, and that signups were paused as part of the containment effort.
The attack specifically targeted the RubyGems infrastructure itself, rather than individual downstream projects. Bot accounts were used to publish junk packages that included malicious code, aiming to compromise the registry's integrity. Ruby Central's Marty Haught noted that the activity was limited to newly registered accounts, suggesting the attackers had automated the account creation process to bypass initial checks. In response, Mend.io and Ruby Central immediately blocked the bot accounts, yanked the malicious gems from the registry, and began coordinating with Fastly to implement web application firewall (WAF) protection and tighten rate limiting on account creation.
As of May 13, 2026, RubyGems confirmed that the malicious spam activity had stopped. 'The bot accounts responsible have been blocked and removed, and the 500+ malicious packages pushed during the attack have been yanked from the registry,' the organization stated in an update. Account sign-ups are expected to remain closed for two to three days while the WAF and rate-limiting measures are fully deployed. The incident underscores the persistent vulnerability of open-source package registries to supply-chain attacks, where threat actors exploit automated account creation to inject malware into trusted distribution channels.
The attack on RubyGems is part of a broader trend of escalating supply-chain threats targeting open-source ecosystems. In recent months, similar campaigns have targeted npm, PyPI, and other registries, with threat actors like TeamPCP compromising widely used packages to distribute credential-stealing malware. A report published by Google on Monday highlighted that credentials stolen from such attacks are being monetized through partnerships with ransomware and data theft extortion groups, amplifying the downstream impact on organizations that rely on open-source components.
While the immediate threat to RubyGems has been contained, the incident raises questions about the long-term security of package registries and the need for more robust identity verification and automated abuse detection. Mend.io, which provides security scanning for RubyGems, has stated it will release more detailed findings once the incident is fully analyzed. The identity of the attackers remains unknown, but the scale and coordination of the campaign suggest a well-resourced adversary.
For developers and organizations using RubyGems, the incident serves as a reminder to verify package integrity and monitor for suspicious updates. RubyGems has advised users to ensure they are running the latest version of the gem client and to report any suspicious packages. The registry's temporary closure of signups is a precautionary measure to prevent further abuse while security enhancements are implemented.
As open-source ecosystems continue to grow, the attack on RubyGems highlights the critical need for proactive security measures, including automated threat detection, rate limiting, and rapid incident response. The collaboration between Mend.io, Ruby Central, and Fastly demonstrates the importance of coordinated defense in protecting the software supply chain from increasingly sophisticated attacks.