RubyGems has temporarily disabled new account registrations following what maintainers described as a major malicious attack targeting the package registry.
Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X that the incident involved “hundreds of packages,” some of which allegedly contained exploits. The attack primarily targeted Mend.io, though the broader Ruby ecosystem was also affected.
Mensfeld later confirmed that more than 120 malicious packages had already been removed from the registry.
Separately, Ruby Central board member Marty Haught described the activity as a “coordinated spam-publishing campaign” carried out through newly created accounts distributing junk packages.
In an update published May 13, 2026, RubyGems said the attack had been stopped after bot accounts were identified and removed. The organization added that more than 500 malicious packages uploaded during the campaign had been yanked from the registry.
The platform said account sign-ups will remain paused for an estimated two to three days while it works with Fastly to deploy additional web application firewall protections and stricter rate limits on account creation.
“Registrations will remain closed while we coordinate with Fastly to enable WAF protection and tighten rate limiting on account creation. We expect this to take two to three days,” the maintainers said, adding that “gem installs and pushes for existing users are unaffected.”
It's currently unclear, who is behind the attack.