"We're dealing with a major malicious attack on Ruby Gems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, wrote on X.
Maciej Mensfeld and Mend.io's public alert
On X, Maciej Mensfeld described the incident as a "major malicious attack" and said signups are paused. That public message is the clearest account so far from the vendor responsible for protecting the RubyGems supply chain: Mend.io. Mend.io, which the report identifies as the organization that secures RubyGems, has said it intends to release more details once the incident is contained.
RubyGems halts new account registrations
RubyGems — described in the report as the standard package manager for the Ruby programming language — has temporarily disabled new account registration. Visitors to the RubyGems sign-up page are shown this message verbatim: "New account registration has been temporarily disabled." The pause on new accounts is presented as a direct mitigation step while Mend.io and RubyGems respond to the attack.
Hundreds of malicious packages: scope and content
According to Mensfeld’s post, "Hundreds of packages involved – mostly targeting us, but some carrying exploits." The report does not enumerate the package names or list the exploits, but it makes clear the incident involves a large number of uploads and that at least a subset contain active malicious code. The source material also notes that it is currently not known who is behind the attack.
Supply chain context: TeamPCP and Google's Monday report
The incident is framed against a broader rise in software supply chain attacks targeting open-source ecosystems. The report cites past activity by threat actors such as TeamPCP, which has been described as compromising widely used packages to distribute credential‑stealing malware capable of harvesting sensitive data and enabling attackers to expand their reach.
In a report published Monday, Google connected stolen credentials from such compromised environments to downstream criminal monetization: the credentials, Google said, have been monetized through partnerships with ransomware and data theft extortion groups. That linkage underscores the practical consequence of supply‑chain compromises beyond the initial compromise of code repositories or package indexes.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Expect a heightened need to inspect dependencies and monitor for suspicious package behavior. The pause on new RubyGems registrations indicates a containment posture while investigation and remediation proceed.
- Affected enterprises and procurement leaders: The Google report cited suggests that stolen credentials from supply‑chain incidents can be sold or shared with ransomware and extortion groups, creating downstream exposure even when the initial intrusion targets open‑source infrastructure rather than a corporate network directly.
- End users and developers on Ruby: The visible site message and Mend.io’s public statements signal that account creation and contributor workflows may be disrupted until the incident is contained and details are released.
This remains a developing story. Mend.io has signaled it will provide more information post‑containment, but as of the report the attacker(s) and the full list of affected packages remain unidentified. The combination of a pause on new registrations, confirmation that "hundreds of packages" are involved, and the documented criminal market for stolen credentials described by Google together make clear that the incident sits at the intersection of open‑source operational risk and criminal monetization pathways.
For now, the immediate, documented facts are simple: RubyGems has stopped new account registrations; Mend.io has labeled the event a major malicious attack; hundreds of packages were uploaded with some carrying exploits; and attribution has not been established. Observers and affected parties will be watching for Mend.io’s promised update as the next concrete step in clarifying scope and impact.
