RubyGems Suspends Registrations After Hundreds of Malicious Packages Flood Registry
RubyGems.org has suspended new account registrations after threat actors published over 500 malicious packages, including exploit-laden gems, in a coordinated spam and attack campaign.
RubyGems.org, the official repository for Ruby gems, has suspended new account registrations after a coordinated attack saw threat actors publish hundreds of malicious packages, some carrying exploits. The incident, initially described as a distributed denial-of-service (DDoS) attack, has forced maintainers to lock down registration while they implement rate limiting and web application firewall (WAF) protections.
RubyGems maintainers announced the suspension on May 12, citing a DDoS attack. Nearly 24 hours later, registrations remain disabled and are expected to stay closed for another two to three days. According to a status update, the service was targeted in "spam activity" involving bot accounts that pushed more than 500 junk packages, including ones carrying exploits. The malicious packages have been removed from the registry, and existing packages have not been compromised.
Maciej Mensfeld of the RubyGems security team noted on X that the attack appears to have targeted RubyGems itself, with the attackers attempting cross-site scripting (XSS) attacks and data exfiltration. "My worry with this RubyGems attack: it could be masking something more sophisticated. No proof, just a security researcher's intuition. Hope I'm wrong," Mensfeld said.
The attack underscores the ongoing challenge of securing open-source package registries against automated abuse. RubyGems joins a growing list of package managers—including npm, PyPI, and Maven—that have faced similar campaigns involving malicious packages designed to steal credentials, deploy backdoors, or exfiltrate data. The scale of this incident, with over 500 packages pushed in a short period, highlights the need for more robust automated defenses.
RubyGems maintainers have stated that gem installs and pushes for existing users remain unaffected. The investigation is ongoing, but at this point it appears that end users were not directly targeted. The suspension of registrations is a precautionary measure to prevent further abuse while the team tightens account creation rate limiting and enables WAF protection.
This incident comes amid a broader wave of supply chain attacks targeting open-source ecosystems. Recent attacks on TanStack, Mistral AI, and UiPath, as well as the compromise of the Checkmarx Jenkins AST Plugin, demonstrate that threat actors are increasingly focusing on developer tools and package registries as vectors for widespread compromise.
For now, RubyGems users can continue to install and publish gems as normal, but new accounts will not be created until the security improvements are in place. The Ruby community will be watching closely to see if this attack was indeed a smokescreen for something more sinister, as Mensfeld fears.