Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in
Back
Security News

Follow-up and Clarification on Recent Malicious Ruby Gems Campaign

A clarification on our recent research investigating 60 malicious Ruby gems.

Follow-up and Clarification on Recent Malicious Ruby Gems Campaign

Sarah Gooding

August 22, 2025

On August 7, 2025, we published threat research about a coordinated campaign involving 60 malicious Ruby gems. In that article, we highlighted the technical details of the malware and warned developers about the risks these gems posed.

Since then, we’ve had constructive conversations with the RubyGems.org security team, and we want to take a moment to clarify and correct the record.

Updating the Record#

In our research, we described the malicious gems as having been “yanked by the author,” i.e. the threat actor. This phrasing was based on how the RubyGems.org website presented the removal information at the time. The website explicitly stated: “This gem previously existed, but has been removed by its owner” for the affected gems.

After speaking with the RubyGems.org security team, they clarified that another vendor, Mend.io, had also detected some of these malicious gems, and the team was in the process of removing them.

By relying on the automated gem status presented on the website, we unintentionally overlooked the important and proactive role their team played in protecting developers and the ecosystem. This gave too much credit to the threat actor, when it was the RubyGems.org security team that had been yanking the gems, even though the website stated that it was the gems’ author.

The RubyGems.org security team deserves recognition for their quick action and ongoing vigilance. Their work often happens behind the scenes, but the impact is felt widely by developers who rely on them to keep the Ruby ecosystem safe.

Moving Forward Together#

This experience is a reminder that security in open source is a shared responsibility. At Socket, we’re committed to working collaboratively with ecosystems like RubyGems.org, and all the other ecosystems we support, to share intelligence, respond to incidents, and keep communities informed.

We’re grateful to the RubyGems.org team for the thoughtful and open conversation we had following our post, and we look forward to further collaboration. By working together, we can better protect developers and strengthen the resilience of open source software supply chains.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a Demo

Related posts

Back to all posts
Nx npm Packages Compromised in Supply Chain Attack Leveraging AI CLI Tools

Security News

Nx npm Packages Compromised in Supply Chain Attack Leveraging AI CLI Tools

Malicious Nx npm versions stole secrets and wallet info using AI CLI tools; Socket’s AI scanner detected the supply chain attack and flagged the malware.

By Sarah Gooding, Olivia Brown, Peter van der Zee  -  Aug 27, 2025
SocketSocket SOC 2 Logo

Product

About

Packages

Explore npm
Explore Cargo
Explore Go
Explore Maven
Explore NuGet
Explore PyPI
Explore Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc

U.S. Patent No. 12,346,443 & 12,314,394. Other pending.