rubygems
Safeguard articles tagged "rubygems" — guides, analysis, and best practices for software supply chain and application security.
24 articles
RubyGems Malicious Gem Arbitrary Code Execution via Missi...
CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.
RubyGems Escape Sequence Injection via Unpack API (CVE-20...
CVE-2019-8325 lets a malicious RubyGems package inject terminal escape sequences via the unpack API. Here's the impact, affected versions, and how to remediate it.
RubyGems.org domain takeover risk report
RubyGems.org hasn't adopted the domain-resurrection defenses PyPI rolled out in 2025 — leaving a proven account-takeover technique open across the Ruby ecosystem.
Ruby supply chain security report
A report on Ruby supply chain security: malicious RubyGems campaigns, maintainer credential compromises, and 2025's RubyGems governance dispute.
How Snyk scans Composer/PHP and RubyGems dependency manif...
A technical look at how Snyk parses composer.json/composer.lock and Gemfile/Gemfile.lock to build dependency trees and match PHP and Ruby packages against known vulnerabilities.
Comparing Malicious Package Tactics Across npm, PyPI, Rub...
npm, PyPI, RubyGems, and crates.io each get hit by malicious packages differently. Real incidents from 2018-2025 show how attacker tactics shift by ecosystem.
RubyGems Reserved Namespace Claims
A look at how organizations can claim reserved namespace prefixes on RubyGems.org, what the policy currently supports, and where it falls short for real enterprise use cases.
RubyGems.org and Sigstore: Progress Check
An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.
RubyGems Typosquatting Incidents: 2024
A running ledger of typosquat incidents on RubyGems.org through 2024, the patterns across them, and what the year's data says about where the registry's defenses still fall short.
RubyGems 2FA Enforcement Analysis
A look at how RubyGems.org rolled out mandatory 2FA for high-traffic gem maintainers, what it has caught, and what gaps still remain in the account-compromise defense story.
Ruby Gem Reserved Names Policy
How RubyGems.org handles reserved gem names, what protections exist for trademark holders, and where the policy creates friction for legitimate namespace claims.
RubyGems Yanked Gems: Security Risks of Removed Ruby Packages
When a Ruby gem is yanked from RubyGems.org, it creates security risks for projects that depended on it. Understanding the yanking mechanism is critical for Ruby supply chain security.