All is currently well; André yanked it and the hijacked rubygem (which appends a ‘if in production, wait randomly between 0 seconds and about an hour, then eval the text at this pastebin’ to otherwise the exact same code as v0.0.6) was ‘only’ downloaded 537 times.
As far as I can tell, Brian McManus, author and intended manager of this gem on rubygems.org is not a lifter.
Presumably if he had been, this report would have also ended up at tidelift’s desk and it would have gone from there, although in this case that wasn’t really needed: If I interpret this report correctly, Brian and the rubygems team responded very quickly.
So now for the question: Is tidelift currently giving off warnings to tidelift subscribers if they are one of the ‘lucky’ 537? If not, should tidelift be attempting to do that even if strong_password is not lifted, and if so, how?