Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
Sarah Gooding
November 12, 2024
RubyGems.org has added a new “maintainer” role that enables users to publish new versions of a gem. The gem hosting service lists 183,080 gems with more than 183 billion downloads. This new permission type is aimed at improving security for the 205,000+ gem owners and the service overall.
Historically, the responsibility of maintaining these gems has rested on individual developers or small teams, often juggling security patches alongside feature enhancements. While this model has fostered a vibrant and collaborative community, it has also introduced vulnerabilities, as inconsistent maintenance can lead to delayed security updates and potential exploitation.
“Until today, permissions on a gem were simply binary: either you were an owner on a gem, and you could do anything, or you were not an owner, and you could do nothing,” Ruby Central engineer Colby Swandale said. “In response to user requests, we have added a new option, the maintainer role.”
The new Maintainers role is essentially limited to publishing new versions. On RubyGems.org, Owners and Maintainers now have distinct roles with varying levels of access and responsibilities:
RubyGems introduced support for Trusted Publishers as a security improvement in December 2023, inspired by PyPI. This is a more secure publishing method for gem owners that exchanges short-lived identity tokens between a trusted third-party service and RubyGems.org. Trusted Publishers eliminates the need to use username/password combinations or manually generated API tokens to authenticate when publishing a gem. Changing these settings is now restricted to Owner accounts.
“We’re adding the maintainer role primarily to improve security,” Swandale said. “As long as every user has owner permissions, gaining access any of those accounts is enough to fully take over a gem. Since not all users need the maximum permissions of an owner, the new role allows the defensive security strategy often called 'minimal permissions,’ where users are only given the permissions that they actually need to use, in order to reduce damage if an account is compromised.”
Swandale said RubyGems.org also has a long term plan to add organization accounts to the gem hosting service based on this underlying system that enables multiple permission types for gems. This new maintainer role is just the start for expanding the capabilities of gem management. Owners can now view and update permissions to give maintainers publishing rights without handing over full control of the owner account and security settings.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.