shawesome gems are malicious or uselessly squatting

Eric Hodel's Avatar

Eric Hodel

22 Nov, 2010 10:27 PM

eptics seems to be purely malicious. The gemspec is 50KB compressed, depends on the first 5000 gems and is generated by:

gems = Marshal.load(Gem.inflate("Marshal.4.8.Z")))
count = 0
depended = []
gems.each do |name, gem|
  break if count == 5000
  next if depended.include?(
  s.add_runtime_dependency("#{}", ">= 0.0.0")
  count += 1
  depended <<

open6 and open42 are empty, I assume the rest are as well.

rar is empty

mysql6 is empty, I assume the rest are as well.

he's squatting on the "rubygems", "rubygems", "gem" names

he's squatting on the "jquery", "node.js", "ack", "ps", "tail", "top"

he's squatting on "halgorium" and "leah-silber"

I don't see an ounce of good behavior out of this gem author.

  1. 1 Posted by John Barnette on 22 Nov, 2010 10:32 PM

    John Barnette's Avatar

    There was a discussion started on the gemcutter list about this, I think. Adding [email blocked] to this discussion.

  2. Support Staff 2 Posted by Nick Quaranto on 22 Nov, 2010 10:39 PM

    Nick Quaranto's Avatar

    Made this public.

  3. 3 Posted by James Tucker on 22 Nov, 2010 10:56 PM

    James Tucker's Avatar

    vote to kill.

  4. 4 Posted by John Barnette on 22 Nov, 2010 10:57 PM

    John Barnette's Avatar

    I'd like to hear back from this person, but if we don't hear something incredibly reasonable in a very timely fashion this abuse needs to die.

  5. 5 Posted by Tim C-S on 23 Nov, 2010 12:29 AM

    Tim C-S's Avatar

    Hey dudes,

    I unfortunately decided to share my "gem squat" hack which I have been using non-maliciously for some time now.
    Over a night of fun times, we decided that it would be fun to exercise the API.
    Unfortunately, it does seem that our attempt at a fun joke turned into a nightmare for the whole setup.

    I'd like to apologise for the abuse and I'll make sure to mention to those involved to not continue with this.


  6. 6 Posted by John Barnette on 23 Nov, 2010 12:33 AM

    John Barnette's Avatar

    Tim, are any of the gems on real? Or are they all trash?

  7. 7 Posted by Dylan on 23 Nov, 2010 02:09 AM

    Dylan's Avatar

    Feel free to delete everything except andywithoutatop.



  8. Support Staff 8 Posted by Nick Quaranto on 23 Nov, 2010 02:50 AM

    Nick Quaranto's Avatar

    Hi Dylan,

    I was given a heads-up from Tim to delete them all a few hours ago, we're in the process of cleaning it up...and I already deleted andywithoutatop. I was preparing to wipe out the whole account. The gems and gemspecs are already gone from S3...if you dont have a copy of the gem available we can get the gem from a mirror.

  9. Support Staff 9 Posted by Nick Quaranto on 23 Nov, 2010 02:51 AM

    Nick Quaranto's Avatar

    Actually, I can look into S3's versioning API as well if you don't have it locally...been meaning to do that. Let me know.

  10. 10 Posted by Dylan on 23 Nov, 2010 02:53 AM

    Dylan's Avatar


    That's fine. I'm pretty sure that was only the stub. Andy Without a Top will need some more iterations.



  11. Support Staff 11 Posted by Nick Quaranto on 23 Nov, 2010 02:56 PM

    Nick Quaranto's Avatar

    Just curious, how did you guys actually push gems with the same name up to the service? We have multiple gems with 88k+ dependencies and the same name. If you still have the gemspecs available on your machine I'd like to inspect them. Thanks for working with us here.

  12. Support Staff 12 Posted by Nick Quaranto on 23 Nov, 2010 03:26 PM

    Nick Quaranto's Avatar

    Account and gems deleted. Looks like we need a unique index on gem names, and limit the number of dependencies on a gem.

  13. 13 Posted by Dylan on 23 Nov, 2010 07:06 PM

    Dylan's Avatar

    Heya Nick,

    Funnily enough that did become a pain while trying to upload the gems. I did run in to multiple issues where it'd complain about the name being taken. I think the gemspec is on another machine somewhere. I'll try and dig it up if you need it.



    PS. I think it was the universalsoldier platform we used to create the gem that ensured it was shawesome enough to duplicate itself.

    "[after he shot four police officers in the super market with ease] See! They're every where!"

    PPS. Also, it seems it'd be nice to validate required ruby and rubygems versions. Although the former could be somewhat limiting the latter is actually controlled by a set of people so it wouldn't be an issue. it'd also be nice to either deny a gem with a future date or actually have it in the system and only release it when that date comes around.

    This was mainly brought about by Jeremey's RubyConf talk and lots of alcohol.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac