Dealing with (Hypothetical) Sham Packages - RubyGems Blog

Please pardon a blog post that is a bit different from the standard RubyGems release announcement. Today, I’m going to spin you a tale about the impact malicious software packages have on application developers. I want you to close your eyes, take a deep breath, and imagine the following (completely hypothetical, with absolutely no resemblance to real life) scenario. Your company ships a web application written in your favorite language, Sham. Doing your best to stay productive and avoid re-implementing wheels of various shapes and sizes, you use packages for Sham, which, of course, are called Swindles. Your company is responsible, and uses all the fancy tooling to manage your Swindles, including a dependency manager that outputs lockfiles, Dependabot to automate version upgrades, and a code review process before anything makes its way into trunk.