RubyGems Halts New Account Registrations Following Major Malicious Package Campaign

TL;DR RubyGems has temporarily suspended new account signups after hundreds of malicious packages were uploaded to the package repository. Mend.io, which manages RubyGems security, confirmed the attack but the attacker's identity remains unknown. The incident underscores escalating supply chain threats in open-source ecosystems, where stolen credentials are being monetized through partnerships with ransomware groups.

What happened

RubyGems, the standard package manager for the Ruby programming language, implemented an emergency restriction on new account registrations following what Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, described as a "major malicious attack" in a post on X.

The attack involved hundreds of packages uploaded to the repository. According to Mensfeld, the majority of these packages targeted Mend.io specifically, though some carried exploits of unspecified nature. Visitors to RubyGems' signup page now see a notice: "New account registration has been temporarily disabled."

Mend.io, which provides security services for RubyGems, stated it intends to release additional details once the incident is contained. At the time of publication, the identity of the attacker or attacker group had not been disclosed.

The incident represents the latest in a series of software supply chain attacks targeting open-source ecosystems. Threat actor groups, including TeamPCP, have been observed compromising widely used packages to distribute credential-stealing malware designed to harvest sensitive data and enable lateral movement within affected environments.

Why it matters

For developers and system administrators relying on RubyGems, this incident creates immediate friction: the suspension of new account registration prevents legitimate developers from publishing packages, affecting deployment workflows and dependency management. The suspension is likely intended as a containment measure to prevent further malicious uploads while Mend.io investigates.

The broader context amplifies the risk exposure. As Google documented in a recent report, credentials harvested through compromised open-source packages are not merely exfiltrated—they are actively monetized through formal partnerships between threat actors and ransomware operators or data extortion groups. This means a compromised dependency can serve as a bridgehead for enterprise-level extortion campaigns.

For SOC analysts in the MENA region and beyond, this underscores the necessity of continuous monitoring of open-source package repositories. A developer downloading a trojanized Ruby package during the attack window could have inadvertently granted attackers persistent access to internal systems.

Affected systems and CVEs

RubyGems — temporary account registration suspension in effect

No CVE assigned at the time of publication.

What to do

The source article does not provide specific mitigation guidance. However, standard supply chain security practices apply:

Review recent package installation logs to identify any dependencies added during the attack window (the source does not specify the attack timeline).
Verify the integrity of Ruby packages currently in use, prioritizing those published during the incident period.
Monitor Mend.io and RubyGems official channels for detailed post-incident analysis once the investigation concludes.
Implement or strengthen dependency scanning in your build pipeline to detect known malicious packages.

Open questions

Who is responsible for the attack? The source does not name the threat actor.
What are the names of the malicious packages, and which versions of Ruby projects might have pulled them as dependencies?
When did the attack begin, and for how long were malicious packages available before detection?
Did any of the malicious packages execute code on developer machines or systems running affected Ruby applications?
What specific exploits were present in the packages described as "carrying exploits"?
Beyond Mend.io, which organizations or projects were targeted or compromised?
When will account registrations resume, and under what conditions?