Contact us
Contact us

News

About

Home Crypto News RubyGems pauses new signups after hundreds of malicious packages

RubyGems pauses new signups after hundreds of malicious packages

Author Alehandro Bonsuare
Posted: 12 May 2026, 17:14 CET | Updated: 12 May 2026, 17:53 CET 2 min read

RubyGems has halted new account registrations after hundreds of malicious packages were uploaded in an active attack; Mend.io and RubyGems are investigating and removing affected packages.

RubyGems has paused new account registrations after hundreds of malicious packages were uploaded to the package registry, according to security provider Mend.io. The site’s sign-up page now shows: “New account registration has been temporarily disabled.”

Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, posted on X that the incident is active and involves hundreds of packages. He wrote: “We’re dealing with a major malicious attack on Ruby Gems right now. Signups are paused for the time being. Hundreds of packages involved – mostly targeting us, but some carrying exploits.”

Mend.io, which provides security services for RubyGems, is working with the package host to identify and remove the uploads. Public updates have been limited while teams focus on containment and remediation. Mend.io has not provided a timetable for when new registrations will resume.

The registration pause applies only to new accounts; existing users retain access to packages on the site. The action aims to limit the creation of new publisher accounts while investigators review recent uploads.

RubyGems hosts libraries used by developers building applications in the Ruby programming language. Attackers have in recent years targeted open-source registries by uploading malicious or compromised packages to distribute malware or steal credentials. Security research has documented cases where credential-stealing code was inserted into popular packages and the stolen credentials were later used in ransomware and extortion operations.

Mend.io reported that some of the uploaded packages contain exploitable code. The party responsible for the uploads has not been identified, and there is no public confirmation that the packages successfully delivered malware or that user accounts were compromised.

Developers who use RubyGems are advised to review recent dependency changes, follow guidance from their security teams on rotating credentials when recommended, and scan projects for known indicators of compromise until a full list of affected packages is published.

The incident remains under investigation. Mend.io has said it will release more details once containment and remediation work is complete.

Tags
Security
Alehandro Bonsuare
Author

Articles by this author

Mini Shai-Hulud worm infects npm, PyPI packages, steals tokens
Mini Shai-Hulud worm infects npm, PyPI packages, steals tokens
8 hours ago
Chainlink activity hits eight-month high as DeFi shifts to CCIP
Chainlink activity hits eight-month high as DeFi shifts to CCIP
12 hours ago
Lloyds: Football ticket scams up 36%; crypto fan tokens risky
Lloyds: Football ticket scams up 36%; crypto fan tokens risky
1 day ago
Circle raises $222M for Arc Blockchain, backed by BlackRock
Circle raises $222M for Arc Blockchain, backed by BlackRock
1 day ago
Crypto slips after Trump rejects Iran reply; Bitcoin dips
Crypto slips after Trump rejects Iran reply; Bitcoin dips
1 day ago

Latest News

MORE
Sponsored ads lead Mac users to fake Claude chats

Sponsored ads lead Mac users to fake Claude chats

2 hours ago 2 min read
TrickMo Android trojan uses TON, SOCKS5 to pivot phones

TrickMo Android trojan uses TON, SOCKS5 to pivot phones

3 hours ago 2 min read
State hackers log in using legitimate credentials

State hackers log in using legitimate credentials

7 hours ago 3 min read
Mini Shai-Hulud worm infects npm, PyPI packages, steals tokens

Mini Shai-Hulud worm infects npm, PyPI packages, steals tokens

8 hours ago 2 min read
MORE