Translated from the original Japanese article
Tech 5 min read

RubyGems signup pause after 500+ malicious packages: lockfile and cache checks

セキュリティ サプライチェーン マルウェア
IkesanContents

TL;DR

Impact RubyGems.org new account registration suspended. Existing users’ gem install and push unaffected per official status

Action Hold off on adopting new gems. Check lockfiles for recently published, low-download, or typosquatting-named entries

Unknown Attacker identity, malicious gem names, exploit details, and signup reopening timeline. Official estimate is 2–3 days after Fastly WAF and rate limit adjustments

RubyGems.org suspended new account registration on May 12, 2026 at 08:54 UTC.
The cause was DDoS attacks and malicious spam uploads. In the May 13, 03:17 UTC update, the attack activity had stopped, bot accounts were blocked and deleted, and 500+ malicious packages had been yanked (force-removed) from the registry.
Signup suspension continues while Fastly WAF (Web Application Firewall) protections and account creation rate limits are being tuned before reopening.

The RubyGems signup page now shows that new account registration has been temporarily disabled.
Existing users’ gem install and push are explicitly listed as unaffected on the RubyGems status page.

The Hacker News’ initial report quotes Mend.io’s Maciej Mensfeld saying “hundreds of packages were involved, many targeting RubyGems itself, and some carrying exploits (attack code targeting vulnerabilities).”
At this point, attacker attribution, malicious gem names, and exploit details have not been disclosed.

Signup pause is not a bundle install shutdown

What directly changed is that new RubyGems.org accounts cannot be created.
Existing account push and existing gem install have not stopped.

If you’re running a Ruby app with gems already locked in your lockfile via bundle install, this is not an immediate full-stop event based on official information alone.
On the other hand, if you’re adopting new gems, running CI with wide version ranges, or have internal tools that resolve fresh from RubyGems.org every time, the areas to check are different.

The key thing to verify is gems that were newly added around May 12, 2026.
Gems with names similar to existing ones, gems published recently with little download history, and gems with empty or near-empty README/repository links won’t get clearer just by waiting for signup to resume.
It’s faster to extract new gem names resolved in that time window from your lockfile and CI logs first.

Packages targeting the registry itself

Recent npm incidents were mostly about stealing tokens from developer machines or CI runners.
In Mini Shai-Hulud spreading to TanStack and Mistral, OIDC tokens and cloud credentials on GitHub Actions runners were targeted.
In the axios npm compromise, a fake dependency was added to the legitimate package, dropping a RAT (Remote Access Trojan) via postinstall.

What stands out in RubyGems’ description this time is that some packages were targeting the RubyGems.org infrastructure itself, not just end-user machines.
In an August 2025 security response post, RubyGems.org described its upload-time static and dynamic analysis, risk scoring, re-scanning of older packages, and manual review processes.
Normally they remove about one malicious or spam package per week — this time it spiked to 500+.

In other words, the attack surface here includes not just individual gem users but the registry’s own detection, registration restrictions, WAF, and rate limiting.
RubyGems’ decision to shut down new signups reads as cutting off the attacker’s ability to mass-create new accounts before stopping existing gem distribution.

Logs to check before adding new dependencies

Even though RubyGems.org says malicious packages have been yanked, environments where tarballs remain in CI caches, local caches, or internal mirrors are a different story.
This is true for npm and PyPI contamination as well — in the LiteLLM PyPI contamination, even though the package was live for only about 46 minutes, some machines pulled it in via uvx auto-update.

On the Ruby side, check Gemfile.lock and CI logs.
Look for gems that first appeared after May 12, 2026, gems with sudden version bumps, and specs that resolve to different versions on each dependency resolution.
If you use bundle config or an internal mirror, also verify that yanked packages haven’t persisted on the mirror side.

For new gem adoption decisions, check the publication date on RubyGems.org, the owner, repository URL, and past version history.
Typosquatting (publishing packages with names similar to popular ones) has happened on RubyGems before, so manually-added gem names deserve extra scrutiny.
The same goes for gems added to a Gemfile by auto-generated code — don’t assume a name is legitimate just because it looks like a well-known library.

Information not yet disclosed

As of now, what RubyGems has officially disclosed covers: signup suspension, DDoS, bot account deletion, 500+ yanks, and the WAF/rate limit adjustment timeline.
The list of malicious gems, exploit types, and filenames or network indicators to look for in installed environments have not been published.

What can be done as of May 13, 2026 14:00 JST is not treating “all of RubyGems as compromised” but narrowly checking only Ruby dependencies added or updated around May 12.
When the next official update publishes gem names or IoCs (Indicators of Compromise), narrow your lockfile and cache checks to those specific entries.