[robotfelix]

It's worth noting that the hijacker pushed a malicious version of 1.6.x

Version 1.7.0 was released to rubygems on 8th July 2014, and 2.0.0 on 2nd July 2016, so anyone who has started using rest-client or run a `bundle update` recently is unlikely to be affected.

The impact could have been significantly greater had the hijacker pushed a new versions of 1.8.x or 2.x as well, so it's very fortunate the breach was spotted now.

[rcfox]

That's a good point. Could indicate a targeted attack?

[Implicated]

That was my first thought - it would seem as though releasing on a version that old would be deliberate and why else would you do that if you weren't targeting something specific?

[smudgymcscmudge]

Don’t most ruby projects vendor gems? So projects using 1.6 that didn’t bundle update wouldn’t be affected either. It sounds like only projects that were pinned to 1.6 that ran bundle update would be affected.

I only have a passing familiarity with ruby gems, so I may be completely wrong.

[beilabs]

Yeah; I just grepped all of my own repos, it's quite out of date thankfully.

This situation definitely lends itself to push for 2FA by default on all rubygems.