-
-
Notifications
You must be signed in to change notification settings - Fork 902
Gems yanked and accounts locked
Aditya Prakash edited this page Dec 23, 2020
·
11 revisions
There are a few select scenarios where a published gem could be yanked and your account can be locked by the rubygems.org team members.
- creates a backdoor for remote code execution
- steals sensitive information from a host like HTTP Cookies
- contains code for a malware
We will use this wiki to document yanked gems, accounts locked along with the rationale for the action.
- Account locked: Peter_Gibbons2
- Gem yanked: https://rubygems.org/gems/pretty_color/versions/0.8.1
- Reason: obfuscated code on beautification was matching malware code https://github.com/365sec/twannacry/blob/master/wannacry.vbs
- Account locked: MikeJudge
- Gem yanked: https://rubygems.org/gems/ruby-bitcoin/versions/0.0.20
- Reason: obfuscated code on beautification was matching malware code https://github.com/365sec/twannacry/blob/master/wannacry.vbs
- Accounts locked: PeterGibbons, JimCarrey
- Gem yanked: https://gist.github.com/colby-swandale/11dadff435b02f887fc68178cd4fb0dc
- Gem yanked: pp
- Related: https://github.com/rubygems/rubygems.org/issues/1959
# ./script/yank_gem pp
Yanking pp
** [Honeybadger] Initializing Honeybadger Error Tracker for Ruby. Ship it! version=4.6.0 framework=rails level=1 pid=1361
Yanking pp
0.1.1
NEWER VERSION AVAILABLE: Please upgrade to AWS SDK For Ruby V3
Done.
- Gem yanked: basic_authable
- Related: https://help.rubygems.org/discussions/problems/37137
Yanking basic_authable
1.0.3
1.0.1
1.0.0
Done.
- Accounts locked: DavidSpade, Mclovin, mwmanning
- Gem yanked: rest-client 1.6.13
- Related: https://github.com/rubygems/rubygems.org/issues/2097
script/yank_user Mclovin
Yanking bitcoin_vanity: 4.3.3
Yanking lita_coin: 0.0.3
Yanking coming-soon : 0.2.8
Yanking omniauth_amazon: 1.0.1
script/yank_user DavidSpade
Yanking cron_parser: 1.0.12 1.0.13 0.1.4
Yanking coin_base: 4.2.2 4.2.1
Yanking blockchain_wallet: 0.0.6 0.0.7
Yanking awesome-bot: 1.18.0
Yanking doge-coin: 1.0.2
Yanking capistrano-colors: 0.5.5
- Account locked: homografo
- Gems yanked: All gems where shaggy is the owner
- Reason: 168 out of 226 gem names were invalid as per Levenshtein rule.
- Related: https://gist.github.com/sonalkr132/0af1746c14b42a41e01d20fffbed585b
- Account locked: Shaggy
- Gems yanked: All gems where shaggy is the owner
- Reason: Gems contain code for crypto mining and cookie/password stealing.
- Related: rubygems/rubygems.org#2034
- Account locked: CrypticE
- Gem yanked: All versions of passen
- Reason: Latest version of passen had code for cookie stealing.
- Related: help.rubygems.org#36541