Skip to content

Gems yanked and accounts locked

Aditya Prakash edited this page Aug 19, 2019 · 4 revisions

There are a few select scenarios where a published gem could be yanked and your account can be locked by the rubygems.org team members.

  • creates a backdoor for remote code execution
  • steals sensitive information from a host like HTTP Cookies
  • contains code for a malware

We will use this wiki to document yanked gems, accounts locked along with the rationale for the action.

19 Aug 2019

script/yank_user Mclovin
Yanking bitcoin_vanity: 4.3.3
Yanking lita_coin: 0.0.3
Yanking coming-soon : 0.2.8
Yanking omniauth_amazon: 1.0.1


script/yank_user DavidSpade

Yanking cron_parser: 1.0.12 1.0.13 0.1.4

Yanking coin_base: 4.2.2 4.2.1

Yanking blockchain_wallet: 0.0.6 0.0.7

Yanking awesome-bot: 1.18.0

Yanking doge-coin: 1.0.2

Yanking capistrano-colors: 0.5.5

20 July 2019

29 June 2019

  • Account locked: Shaggy
  • Gems yanked: All gems where shaggy is the owner
  • Reason: Gems contain code for crypto mining and cookie/password stealing.
  • Related: rubygems/rubygems.org#2034

30 June 2019

  • Account locked: CrypticE
  • Gem yanked: All versions of passen
  • Reason: Latest version of passen had code for cookie stealing.
  • Related: help.rubygems.org#36541
You can’t perform that action at this time.