RubyGems Suspends New Signups Following Malicious Package Attack

Severity: Medium (Score: 57.8)

Sources: Thehackernews, databreaches.net, News.Risky.Biz

Summary

RubyGems has halted new user sign-ups after a malicious attack on May 11, 2026, which involved the publication of hundreds of malicious packages targeting its staff. The malicious code aimed to execute cross-site scripting attacks and steal data from RubyGems developers. This incident is separate from a concurrent supply chain attack affecting the npm JavaScript package repository. RubyGems also reported a DDoS attack, though some experts question its classification. The full scope of the attack and what data was targeted remains unclear. RubyGems' security team is actively investigating the incident. The attack coincided with the publication of CVE-2026-45185, which had its first public proof of concept released on May 13, 2026. Key Points: • RubyGems disabled new sign-ups after hundreds of malicious packages were uploaded. • The attack targeted RubyGems staff with cross-site scripting attempts. • This incident is unrelated to a concurrent attack on the npm repository.

Key Entities

• Data Breach (attack_type)
• DDoS (attack_type)
• Phishing (attack_type)
• Ransomware (attack_type)
• Supply Chain Attack (attack_type)
• XSS (vulnerability)
• TanStack Supply Chain Attack (campaign)
• Apple (company)
• Best Western International (company)
• Foxconn (company)
• Google (company)
• Instructure (company)
• Mistral (platform)
• RubyGems (platform)
• Windows (platform)
• Germany (country)
• CVE-2026-42236 (cve)
• CVE-2026-45185 (cve)
• Cwe-79 - Cross-site Scripting (xss) (cwe)
• databreaches.net (domain)
• Manufacturing (industry)
• Technology (industry)
• Shai-hulud (malware)
• T1195 - Supply Chain Compromise (mitre_attack)
• Npm (tool)
• Cellebrite Hacking Tools (tool)
• Nitrogen (ransomware_group)