RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded

Summary

RubyGems temporarily disabled new account registrations following a coordinated spam-publishing campaign that resulted in over 500 malicious packages being uploaded to the registry. The attack, which targeted newly registered bot accounts, has since been contained with malicious packages removed and bot accounts blocked. Account signups were re-enabled on May 16, 2026, after RubyGems implemented additional security measures including WAF protection and tighter rate limiting.

Full text

RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded Ravie LakshmananMay 12, 2026Supply Chain Attack / Software Security RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on RubyGems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being. Hundreds of packages involved – mostly targeting us, but some carrying exploits." Visitors to RubyGems' sign up page are now greeted with the message: "New account registration has been temporarily disabled." Mend.io, which secures RubyGems, said it intends to release more details once the incident is contained. It's currently not known who is behind the attack. The development comes as software supply chain attacks targeting open-source ecosystems have been on the rise, with threat actors like TeamPCP compromising widely used packages to distribute credential-stealing malware capable of harvesting sensitive data and allowing the attackers to expand their reach. In a report published Monday, Google said the credentials stolen from affected environments have been monetized through partnerships with ransomware and data theft extortion groups. Update In a follow-up update, Mensfeld said more than 120 malicious packages have been pulled from RubyGems, adding that the attack targeted the registry itself. Separately, Ruby Central's Marty Haught said RubyGems was responding to "a coordinated spam-publishing campaign" limited to newly registered accounts publishing junk packages. "The malicious spam activity against rubygems.org has stopped," RubyGems said in an update shared on May 13, 2026. "The bot accounts responsible have been blocked and removed, and the 500+ malicious packages pushed during the attack have been yanked from the registry." Account sign-ups are expected to be closed as it coordinates with Fastly to enable web application firewall (WAF) protection and tighten rate limiting on account creation. These actions will take two to three days, it noted, adding Gem installs and pushes for existing users are unaffected. Account Signups Enabled In an update posted on May 16, 2026, RubyGems said "this incident has been resolved and we've re-enabled account registrations." (The story was updated after publication to reflect the latest developments.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Credential Theft, cybersecurity, Google, Malware, Open Source, ransomware, RubyGems, software security, supply chain attack ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage

Indicators of Compromise

• malware — credential-stealing malware

Entities