←back to thread

Ruby Central's Attack on RubyGems [pdf]

(pup-e.com)
659 points jolux | 1 comments | 19 Sep 25 08:09 UTC | HN request time: 0s | source
Show context
thomascountz ◴[19 Sep 25 14:09 UTC] No.45301861[source]
An update from Ruby Central: Strengthening the Stewardship of RubyGems and Bundler

https://rubycentral.org/news/strengthening-the-stewardship-o...

replies(13): >>45301914 #>>45301919 #>>45301946 #>>45302039 #>>45302069 #>>45302082 #>>45302089 #>>45302099 #>>45302120 #>>45302227 #>>45302468 #>>45305713 #>>45308969 #
loloquwowndueo ◴[19 Sep 25 14:15 UTC] No.45301919[source]
Totally reads like post-facto CYA. they could have communicated this to the maintainers internally beforehand instead of blindsiding them.
replies(1): >>45303795 #
downrightmike ◴[19 Sep 25 16:51 UTC] No.45303795[source]
The NPM breach was an email that stated the dev needed to update their MFA by the next day in order to keep their access.

If you're arguing that is what ruby central should have done, that's a social engineering attack.

replies(2): >>45304659 #>>45307157 #
1. mrinterweb ◴[19 Sep 25 21:54 UTC] No.45307157[source]
How would a heads up email look like a phishing email? Blindsiding the maintainers like this is just cruel.