RubyGems has suspended new account registrations after a coordinated attack flooded the registry with hundreds of malicious packages, marking one of the most significant supply chain incidents targeting the Ruby ecosystem.
Attack Details and Immediate Response
The attack was first disclosed by Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, who described it as a “major malicious attack.” The incident involved hundreds of packages, some carrying exploits, that were pushed to the registry through newly created bot accounts.
RubyGems’ sign-up page now displays a message stating that new account registration has been temporarily disabled. Mend.io, which provides security oversight for RubyGems, confirmed it is actively containing the incident and plans to release further details once the threat is fully mitigated.
Scope and Remediation Efforts
In subsequent updates, Mensfeld confirmed that more than 120 malicious packages were initially removed, while Ruby Central’s Marty Haught characterized the event as a “coordinated spam-publishing campaign” limited to newly registered accounts. By May 13, RubyGems reported that the malicious activity had stopped, with over 500 malicious packages yanked from the registry.
The platform is coordinating with Fastly to implement web application firewall (WAF) protections and tighten rate limiting on account creation. These measures are expected to take two to three days. Notably, gem installs and pushes for existing users remain unaffected throughout the response.
Broader Supply Chain Implications
This incident underscores the escalating threat landscape for open-source package registries. Threat actors such as TeamPCP have increasingly targeted widely used packages to distribute credential-stealing malware, and Google recently reported that stolen credentials from such attacks are being monetized through partnerships with ransomware and data theft extortion groups.
Resolution and Forward Outlook
RubyGems re-enabled account registrations on May 16, 2026, declaring the incident resolved. However, this attack serves as a stark reminder that package registries remain a prime vector for software supply chain compromise. As threat actors continue to automate and scale their attacks, the industry must prioritize proactive security measures — including robust rate limiting, behavioral analytics, and rapid incident response protocols — to protect the integrity of open-source ecosystems that underpin modern enterprise software development.
— Originally reported by The Hacker News. Adapted and republished with editorial context for MacThreat.
