-
-
Notifications
You must be signed in to change notification settings - Fork 939
Gems yanked and accounts locked
Aditya Prakash edited this page Jul 20, 2019
·
11 revisions
There are a few select scenarios where a published gem could be yanked and your account can be locked by the rubygems.org team members.
- creates a backdoor for remote code execution
- steals sensitive information from a host like HTTP Cookies
- contains code for a malware
We will use this wiki to document yanked gems, accounts locked along with the rationale for the action.
- Account locked: homografo
- Gems yanked: All gems where shaggy is the owner
- Reason: 168 out of 226 gem names were invalid as per Levenshtein rule.
- Related: https://gist.github.com/sonalkr132/0af1746c14b42a41e01d20fffbed585b
- Account locked: Shaggy
- Gems yanked: All gems where shaggy is the owner
- Reason: Gems contain code for crypto mining and cookie/password stealing.
- Related: rubygems/rubygems.org#2034
- Account locked: CrypticE
- Gem yanked: All versions of passen
- Reason: Latest version of passen had code for cookie stealing.
- Related: help.rubygems.org#36541