gem-wrappers backdoor reached RubyGems.org

gem-wrappers was the package-level artifact exposed by the 2013 RubyGems.org compromise. The attack was not a maintainer deciding to publish hostile code; it was a failure at the hosting platform that distributed gems to the Ruby ecosystem.

Public reporting tied the intrusion to a RubyGems.org server vulnerability that let attacker-controlled gem metadata execute on the service. Once the platform was compromised, the legitimate gem-wrappers 1.1.0 gem file was replaced with a malicious archive.

That made the trust path simple and dangerous. Users asking RubyGems.org for gem-wrappers 1.1.0 could receive the poisoned package from the canonical registry. The source repository was less important than the archive served by the package host.

RubyGems.org took the service offline, audited gems, and restored trust in the distribution platform. This record keeps the package artifact separate from the platform incident because the affected gem version and archive hash are concrete.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• RubyGems.org hacked, popular gem backdoored with remote code exploitarstechnica.com
• RubyGems hacked, gem-wrappers backdoorednakedsecurity.sophos.com
• RubyGems.org hacked, interrupting Heroku services and putting Rails sites at riskventurebeat.com