MORE than 500 malicious packages were pushed to RubyGems[.]org during a recent attack, prompting the suspension of new account registrations on the official Ruby gem hosting service. RubyGems maintainers announced on 12 May that registrations have been temporarily disabled due to a “DDoS attack” and are likely to remain closed for another 2–3 days as rate limiting and WAF protections are tightened.
The service was targeted in “spam activity” using bot accounts to push junk packages, some of which carried exploits, though the malicious packages have since been removed and existing packages were not compromised. An investigation is ongoing, but it appears end users were not targeted, and gem installs for existing users remain unaffected. Maciej Mensfeld of the RubyGems security team noted that the attack seems to have targeted RubyGems itself, with attempts at XSS and data exfiltration.