Back

RubyGems Implements Dependency Cooldowns to Combat Supply Chain Attacks

Severity: High (Score: 67.5)

Sources: simonwillison.net, christian-schneider.net, Csoonline, News.Risky.Biz

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: rubygems, supply, chain, ruby, dependency, cooldowns, counter

Severity indicators: supply chain attack, supply chain

Summary

RubyGems has introduced dependency cooldowns in Bundler to mitigate supply chain attacks that exploit newly published packages. This feature delays the installation of packages until they have been available for a specified number of days, allowing time for malicious versions to be identified and removed. Recent attacks have targeted developer credentials, enabling threat actors to inject malicious code into packages. The cooldown system is designed to protect users by preventing the immediate installation of potentially compromised packages. Developers must manually enable this feature, which is disabled by default. RubyGems joins other package managers like npm and pip, which have already implemented similar measures. The move comes in response to a significant rise in supply chain attacks over the past nine months, with notable incidents affecting multiple ecosystems. The first public proof of concept for a related CVE was released on June 6, 2026, highlighting ongoing vulnerabilities in the ecosystem. Key Points: • RubyGems has added dependency cooldowns to enhance security against supply chain attacks. • The cooldown feature delays package installations to allow time for malicious versions to be identified. • Developers must enable the cooldown feature manually, as it is disabled by default.

Detailed Analysis

**Impact** Ruby developers and organizations relying on RubyGems for package management are affected by recent supply chain attacks targeting software repositories. The attacks compromise developer credentials to inject malicious code into widely used packages, risking credential theft and further spread of malicious updates. This issue impacts the global DevOps ecosystem, with hundreds of packages compromised weekly in related ecosystems like JavaScript and Python, though no specific numbers for RubyGems were provided. The business consequences include potential operational disruption and data breaches stemming from compromised development environments. **Technical Details** Attackers exploit stolen developer credentials to push malicious versions of packages immediately upon compromise, enabling rapid propagation through automated package installations. The attack vector involves injecting malicious code into package updates hosted on RubyGems, with the kill chain focused on the delivery and installation stages. No specific malware, CVEs, or IOCs were detailed in the articles. The newly introduced dependency cooldown feature delays installation of newly published gems by checking their publication timestamps, mitigating the risk of installing malicious updates during the initial vulnerable window. **Recommended Response** Developers should enable and configure dependency cooldowns in Bundler to delay installation of new package versions by a specified number of days, allowing time for detection and removal of malicious releases. Exceptions can be made to bypass cooldowns for urgent security patches. Monitoring for unusual package updates and credential compromise attempts remains critical. Organizations should prioritize enabling this feature and educating developers on its use to reduce exposure to supply chain attacks.

Source articles (4)

  • Patching fast and slow: Ruby devs delay to defend against supply chain attack — Csoonline · 2026-06-05
    The team behind RubyGems, a package hosting site for Ruby developers, has added a new feature to bundler, a tool for managing Ruby packages (or ‘gems’) to protect developers against the recent wave of…
  • Risky Bulletin: RubyGems adds dependency cooldowns to counter supply chain attacks — News.Risky.Biz · 2026-06-08
    The RubyGems package manager has added support for dependency cooldowns as a way to counter a recent spate of supply chain attacks. The move copies similar efforts made in the JavaScript and Python ec…
  • Christian Schneider — christian-schneider.net · 2026-06-08
    Read on if your build pipelines auto-adopt new dependency versions — a zero-cost delay policy eliminates most supply chain attack windows. Most supply chain attacks follow the same arc. Malicious code…
  • Simon Willison — simonwillison.net · 2026-06-08
    Package Managers Need to Cool Down . Today's LiteLLM supply chain attack inspired me to revisit the idea of dependency cooldowns , the practice of only installing updated dependencies once they've bee…

Timeline

  • 2026-06-04 — CVE-2026-20245 published: A vulnerability related to supply chain attacks was disclosed, with a proof of concept released shortly after.
  • 2026-06-06 — First public PoC for CVE-2026-20245: The first proof of concept was released, demonstrating the exploitability of the vulnerability affecting Ruby package management.
  • 2026-06-08 — RubyGems implements dependency cooldowns: RubyGems added support for dependency cooldowns in Bundler to combat recent supply chain attacks, following community pressure.

CVEs

  • CVE-2026-20245

Related entities

  • TeamPCP (Apt Group)
  • Brute Force (Attack Type)
  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Worm (Attack Type)
  • Durabletask Compromise (Campaign)
  • LiteLLM Supply Chain Attack (Campaign)
  • Operation Smishing Error524 (Campaign)
  • Operation TaxShadow (Campaign)
  • TanStack Compromise (Campaign)
  • Allekabels (Company)
  • AT&T (Company)
  • Bright Data (Company)
  • Elrond (Company)
  • Grafana Labs (Company)
  • IBM (Company)
  • Microsoft (Company)
  • Scoupy (Company)
  • TesseraDAO (Company)
  • Ticketcounter (Company)
  • Azure (Company)
  • Microsoft Azure (Company)
  • Dashlane (Tool)
  • 1Password (Tool)
  • Bitwarden (Tool)
  • Chrome (Tool)
  • Npm (Tool)
  • Aws Ssm (Tool)
  • Cron (Tool)
  • GitHub Actions (Tool)
  • Kubectl (Tool)
  • Netherlands (Country)
  • Romania (Country)
  • bellingcat.com (Domain)
  • newsonline.ro (Domain)
  • phrack.org (Domain)
  • Crates.io (Platform)
  • Android (Platform)
  • App Store (Platform)
  • Brave (Platform)
  • GitHub (Platform)
  • Gopass (Platform)
  • IOS (Platform)
  • Kubernetes (Platform)
  • Linux (Platform)
  • Origin (Platform)
  • Pass (Platform)
  • PyPI (Platform)
  • Vault (Platform)
  • Windows (Platform)
  • Pip (Platform)
  • [email protected] (Email)
  • Miasma (Malware)
  • Shai-hulud (Malware)
  • T1021 - Remote Services (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed