From aae07814a2f7d8dac4cbb1df6c5ee821f6a3be1b Mon Sep 17 00:00:00 2001 From: Maciej Mensfeld Date: Sun, 14 Apr 2024 18:14:49 +0200 Subject: [PATCH 1/5] Add tea.xyz spam packages impact blog post --- ...lications-of-crypto-rewards-on-rubygems.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 _posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems.md diff --git a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems.md b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems.md new file mode 100644 index 0000000..84421dd --- /dev/null +++ b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems.md @@ -0,0 +1,36 @@ +--- +title: The Implications of Crypto Rewards on RubyGems +layout: post +author: Maciej Mensfeld +author_email: maciej@mensfeld.pl +--- + +Recently, at RubyGems, we've encountered an unusual surge of empty packages, triggering an investigation by our team. This influx of pointless gems, referencing one of the reasonably popular packages, hinted at an attempt to manipulate the `tea.xyz` protocol. As with any potentially risky incident, we delved deeper into the motives and mechanics behind these submissions. This short article contains our investigation, the conclusions we've reached, and how, theoretically, individuals looking to abuse the system can distort the idea of rewarding OSS contributions. + +## `tea.xyz` Trigger + +The `tea` cryptocurrency creators claim that it came to life to enhance the sustainability of open-source software by rewarding projects based on their influence in the software ecosystem. It claims to utilize a 'Proof of Contribution' system, inspired by Google's PageRank, to measure the impact of various OSS packages. + +## The Unintended Consequences + +However, good intentions often come with challenges. At RubyGems, we began noticing a strange trend: the proliferation of empty gems. These gems weren't harmful per se but were peculiar in their consistent reference to a mildly popular OSS package. + +## Investigating the Anomalies + +As with any deviation in the ecosystem, we began an investigation. We considered multiple scenarios: + +- A spam attack to overwhelm our system. +- A cover for malicious activities. +- A scheme to manipulate tea's ranking system. + +What struck us was that many of these gems were published under account with otherwise legitimate packages. + +Digging deeper, we discovered that these accounts linked to a gem with over 100,000 downloads, which had its GitHub source changed after six years to include a `tea.yaml` file. This was a moment in our investigation that suggested the activities were aimed at exploiting the tea protocol rather than harming our ecosystem. + +## Addressing the Issue + +This realization led us to tighten our gem publishing limitations and increase monitoring for non-malicious but unexpected user behaviors. During the cleanup, we had minor delays in gem index updates; however, it was temporary. We also took strict action against accounts solely created for spamming, ensuring they didn't disrupt the community further. + +## Conclusion and Appeal + +While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems and other platforms, as detailed in [this](https://www.web3isgoinggreat.com/?id=teaxyz-spam) article. At RubyGems, we've encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report. From dc66e387c797fbe57c710d52ef4f2b403af64f2b Mon Sep 17 00:00:00 2001 From: Maciej Mensfeld Date: Sun, 14 Apr 2024 19:15:48 +0200 Subject: [PATCH 2/5] use rubygems.org and full tea.xyz name --- ...lications-of-crypto-rewards-on-rubygems.md | 36 ------------------- ...tions-of-crypto-rewards-on-rubygems_org.md | 36 +++++++++++++++++++ 2 files changed, 36 insertions(+), 36 deletions(-) delete mode 100644 _posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems.md create mode 100644 _posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md diff --git a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems.md b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems.md deleted file mode 100644 index 84421dd..0000000 --- a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: The Implications of Crypto Rewards on RubyGems -layout: post -author: Maciej Mensfeld -author_email: maciej@mensfeld.pl ---- - -Recently, at RubyGems, we've encountered an unusual surge of empty packages, triggering an investigation by our team. This influx of pointless gems, referencing one of the reasonably popular packages, hinted at an attempt to manipulate the `tea.xyz` protocol. As with any potentially risky incident, we delved deeper into the motives and mechanics behind these submissions. This short article contains our investigation, the conclusions we've reached, and how, theoretically, individuals looking to abuse the system can distort the idea of rewarding OSS contributions. - -## `tea.xyz` Trigger - -The `tea` cryptocurrency creators claim that it came to life to enhance the sustainability of open-source software by rewarding projects based on their influence in the software ecosystem. It claims to utilize a 'Proof of Contribution' system, inspired by Google's PageRank, to measure the impact of various OSS packages. - -## The Unintended Consequences - -However, good intentions often come with challenges. At RubyGems, we began noticing a strange trend: the proliferation of empty gems. These gems weren't harmful per se but were peculiar in their consistent reference to a mildly popular OSS package. - -## Investigating the Anomalies - -As with any deviation in the ecosystem, we began an investigation. We considered multiple scenarios: - -- A spam attack to overwhelm our system. -- A cover for malicious activities. -- A scheme to manipulate tea's ranking system. - -What struck us was that many of these gems were published under account with otherwise legitimate packages. - -Digging deeper, we discovered that these accounts linked to a gem with over 100,000 downloads, which had its GitHub source changed after six years to include a `tea.yaml` file. This was a moment in our investigation that suggested the activities were aimed at exploiting the tea protocol rather than harming our ecosystem. - -## Addressing the Issue - -This realization led us to tighten our gem publishing limitations and increase monitoring for non-malicious but unexpected user behaviors. During the cleanup, we had minor delays in gem index updates; however, it was temporary. We also took strict action against accounts solely created for spamming, ensuring they didn't disrupt the community further. - -## Conclusion and Appeal - -While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems and other platforms, as detailed in [this](https://www.web3isgoinggreat.com/?id=teaxyz-spam) article. At RubyGems, we've encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report. diff --git a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md new file mode 100644 index 0000000..0bf7905 --- /dev/null +++ b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md @@ -0,0 +1,36 @@ +--- +title: The Implications of Crypto Rewards on RubyGems.org +layout: post +author: Maciej Mensfeld +author_email: maciej@mensfeld.pl +--- + +Recently, at [RubyGems.org](https://rubygems.org/), we've encountered an unusual surge of empty packages, triggering an investigation by our team. This influx of pointless gems, referencing one of the reasonably popular packages, hinted at an attempt to manipulate the `tea.xyz` protocol. As with any potentially risky incident, we delved deeper into the motives and mechanics behind these submissions. This short article contains our investigation, the conclusions we've reached, and how, theoretically, individuals looking to abuse the system can distort the idea of rewarding OSS contributions. + +## `tea.xyz` Trigger + +The `tea.xyz` cryptocurrency creators claim that it came to life to enhance the sustainability of open-source software by rewarding projects based on their influence in the software ecosystem. It claims to utilize a 'Proof of Contribution' system, inspired by Google's PageRank, to measure the impact of various OSS packages. + +## The Unintended Consequences + +However, good intentions often come with challenges. At RubyGems.org, we began noticing a strange trend: the proliferation of empty gems. These gems weren't harmful per se but were peculiar in their consistent reference to a mildly popular OSS package. + +## Investigating the Anomalies + +As with any deviation in the ecosystem, we began an investigation. We considered multiple scenarios: + +- A spam attack to overwhelm our system. +- A cover for malicious activities. +- A scheme to manipulate tea.xyz ranking system. + +What struck us was that many of these gems were published under account with otherwise legitimate packages. + +Digging deeper, we discovered that these accounts linked to a gem with over 100,000 downloads, which had its GitHub source changed after six years to include a `tea.yaml` file. This was a moment in our investigation that suggested the activities were aimed at exploiting the tea.xyz protocol rather than harming our ecosystem. + +## Addressing the Issue + +This realization led us to tighten our gem publishing limitations and increase monitoring for non-malicious but unexpected user behaviors. During the cleanup, we had minor delays in gem index updates; however, it was temporary. We also took strict action against accounts solely created for spamming, ensuring they didn't disrupt the community further. + +## Conclusion and Appeal + +While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems.org and other platforms, as detailed in [this](https://www.web3isgoinggreat.com/?id=teaxyz-spam) article. At RubyGems.org, we've encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems.org and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report. From 0c1f7802e739b4856ab6820881e9d51ec3117c67 Mon Sep 17 00:00:00 2001 From: Maciej Mensfeld Date: Tue, 16 Apr 2024 09:37:50 +0200 Subject: [PATCH 3/5] Update _posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md Co-authored-by: Martin Emde --- ...-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md index 0bf7905..aa16e7f 100644 --- a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md +++ b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md @@ -29,7 +29,7 @@ Digging deeper, we discovered that these accounts linked to a gem with over 100, ## Addressing the Issue -This realization led us to tighten our gem publishing limitations and increase monitoring for non-malicious but unexpected user behaviors. During the cleanup, we had minor delays in gem index updates; however, it was temporary. We also took strict action against accounts solely created for spamming, ensuring they didn't disrupt the community further. +This realization led us to tighten our gem publishing limitations and increase monitoring for non-malicious but unexpected user behaviors. During the cleanup, we had minor, temporary delays in gem index updates. We also took strict action against accounts solely created for spamming, ensuring they didn't disrupt the community further. ## Conclusion and Appeal From 0165c37d05d44f21f91bf7339f9755f0657314b2 Mon Sep 17 00:00:00 2001 From: Maciej Mensfeld Date: Tue, 16 Apr 2024 09:37:57 +0200 Subject: [PATCH 4/5] Update _posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md Co-authored-by: Martin Emde --- ...-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md index aa16e7f..d509a33 100644 --- a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md +++ b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md @@ -33,4 +33,4 @@ This realization led us to tighten our gem publishing limitations and increase m ## Conclusion and Appeal -While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems.org and other platforms, as detailed in [this](https://www.web3isgoinggreat.com/?id=teaxyz-spam) article. At RubyGems.org, we've encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems.org and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report. +While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems.org and other platforms, as detailed by this [web3isgoinggreat.com article](https://www.web3isgoinggreat.com/?id=teaxyz-spam). At RubyGems.org, we've encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems.org and supporting the broader open-source community. We urge others to refrain from exploitative practices like the one described in this incident report. From c52171a84f393b76f1b0274a9fdd87c17abcbd3a Mon Sep 17 00:00:00 2001 From: Maciej Mensfeld Date: Tue, 16 Apr 2024 09:40:44 +0200 Subject: [PATCH 5/5] Update 2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md remarks --- ...-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md index d509a33..b7876fc 100644 --- a/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md +++ b/_posts/2024-04-14-the-implications-of-crypto-rewards-on-rubygems_org.md @@ -33,4 +33,4 @@ This realization led us to tighten our gem publishing limitations and increase m ## Conclusion and Appeal -While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems.org and other platforms, as detailed by this [web3isgoinggreat.com article](https://www.web3isgoinggreat.com/?id=teaxyz-spam). At RubyGems.org, we've encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems.org and supporting the broader open-source community. We urge others to refrain from exploitative practices like the one described in this incident report. +While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems.org and other platforms, as detailed by this [web3isgoinggreat.com article](https://www.web3isgoinggreat.com/?id=teaxyz-spam). At RubyGems.org, we've encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems.org and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report. The RubyGems.org team takes these incidents seriously and accounts found violating terms or abusing the service will be blocked and ownership access revoked.