Recently, Socket.dev published research highlighting malicious gems designed to steal social media credentials. We wanted to use this as an opportunity to share more about how RubyGems.org security operates, how we proactively handled this incident (and others), and the work our team is doing each day to keep the ecosystem safe. How We Detect Malicious Gems RubyGems.org security uses a proactive and multi-layered approach: 1. Automated detection: Every gem upload is analyzed using both static and dynamic code analysis, including behavioral checks and metadata review. Much of this capability comes from Mend.io’s supply chain security tooling (originally built by our own Maciej Mensfeld, a maintainer on the RubyGems team). 2. Risk scoring: Each package is given a score. Higher-risk gems are escalated for manual review by a member of our security team. 3. Retroactive scanning: As detection techniques improve, older packages are automatically rescanned, which allows us to catch threats that may have slipped through in the past. (This is how we found the threat actor that Socket.dev later investigated.) 4. External sources: We sometimes receive alerts from vulnerability databases, industry partners, and cross-registry collaborations, which help us identify patterns across ecosystems. Through steps 1 - 3, our team detects the majority (roughly 70-80%) of malicious packages before they are ever reported to us or the public. What Happens When We Flag a Gem Once a gem is flagged, we: 1. Verify: A RubyGems security engineer reviews the code to confirm malicious intent (about 95% of flagged packages prove to be legitimate). 2. Double-check: When there’s any doubt, we seek a second opinion within the team. 3. Remove: Confirmed malicious gems are removed via a standardized process in our admin panel. 4. Document: Every action is logged with reasoning for traceability. 5. Protect further: In some cases, we preemptively block suspicious gem names (for example, ones mimicking compa...
First seen: 2025-08-25 21:15
Last seen: 2025-08-26 10:17