We have another event-stream going on right now: strong_password

See this report about the strong_password v0.0.7 rubygem.

All is currently well; André yanked it and the hijacked rubygem (which appends a ‘if in production, wait randomly between 0 seconds and about an hour, then eval the text at this pastebin’ to otherwise the exact same code as v0.0.6) was ‘only’ downloaded 537 times.

As far as I can tell, Brian McManus, author and intended manager of this gem on rubygems.org is not a lifter.

Presumably if he had been, this report would have also ended up at tidelift’s desk and it would have gone from there, although in this case that wasn’t really needed: If I interpret this report correctly, Brian and the rubygems team responded very quickly.

So now for the question: Is tidelift currently giving off warnings to tidelift subscribers if they are one of the ‘lucky’ 537? If not, should tidelift be attempting to do that even if strong_password is not lifted, and if so, how?

1 Like

Yep we are flagging this one! We do track CVEs for unlifted packages as well, though I think the quality is higher when we have a lifter to review the list and which versions are affected.