Ruby Central has published a post-incident review detailing an AWS root-access incident that began on September 19, 2025 and came to light publicly on September 30. The nonprofit says an unauthorized party changed the AWS root password for RubyGems.org at 04:35 UTC on September 19, then used the account to enumerate IAM permissions and reduce privileges for existing users. Ruby Central regained control on September 30 after a password reset and MFA verification. The organization says it has found no evidence of data exposure or service disruption; databases, S3 buckets, CI/CD pipelines and site availability were unaffected.
The episode surfaced when former maintainer André Arko emailed Ruby Central on September 30 to report that he still had access to production systems and monitoring tools. Minutes later, developer Joel Drapper published a blog post with screenshots of AWS root access. Ruby Central’s timeline states that a PutCredentials action was executed from a Los Angeles IP shortly before the nonprofit reset the account that day. The review attributes earlier root sessions to IPs in San Francisco (September 19) and Tokyo (September 28).
Ruby Central’s analysis blames two procedural failures: not rotating the AWS root credentials immediately after personnel changes, and assuming the shared root password stored in an enterprise vault had not been copied elsewhere. After regaining control, the group rotated all credentials, re-issued MFA, enabled CloudTrail and GuardDuty alerting for root activity, reviewed IAM roles for least-privilege, and began an external audit.
The incident lands amid a larger dispute over control and stewardship of RubyGems and Bundler. In mid-September, Ruby Central removed or reduced access for long-time maintainers across GitHub organizations tied to RubyGems, triggering resignations and public criticism. The New Stack reported that maintainers were “kicked off” repositories, while Ruby Central framed the changes as necessary for security and fiduciary responsibility. Drapper’s reporting and commentary amplified community concerns over governance and transparency.
Coverage by The Register and independent blog posts described a breakdown between Ruby Central and core contributors, including the resignation of decade-long maintainer Ellen Dash following what she called a “hostile takeover.” Community threads on Reddit and Hacker News have chronicled timelines and debated the role of corporate stakeholders, with some posts alleging pressure from large ecosystem companies; Ruby Central has said it is strengthening stewardship and postponing a community Q&A to a more accessible time.
Arko has separately published reflections on departing RubyGems work and posted a merger agreement showing Ruby Central as the surviving entity in a consolidation with Ruby Together, the nonprofit he founded in 2015 to fund Ruby infrastructure. That merger context has featured in community discussions about who controls infrastructure, budgets, and access.
A key piece of the backdrop is the “secondary on-call” role. Ruby Central notes that the paid secondary rotation was rarely activated. Arko’s consultancy, which it says had been paid about $50,000 per year for that backup duty, proposed providing it for free in exchange for access to production HTTP access logs containing IP addresses and other PII, to analyze and potentially share. Ruby Central says it rejected the proposal on privacy and governance grounds and began formalizing tighter operator and contributor agreements.
Ruby Central’s incident report closes by calling the AWS event a genuine security incident because a single individual had come to control many systems and because a former maintainer still had access to production environments containing PII. The group says it will formalize Operator and Contributor Agreements, update revocation procedures to ensure immediate rotation of non-federated and shared credentials, and commission an independent security audit. As of October 9, 2025, Ruby Central says it has no evidence that any RubyGems.org data was copied or retained by unauthorized parties.
Why it matters
RubyGems.org underpins dependency management for millions of Ruby applications. Even without confirmed data loss, a period of unauthorized root-level control raises trust and governance questions across the ecosystem. Ruby Central asserts that remediation and audit work are underway; maintainers and community observers are watching whether promised agreements and process changes lead to clearer accountability and shared stewardship.
Read also:
- Ruby Central’s Attack on RubyGems
- Shopify, pulling strings at Ruby Central, forces Bundler and RubyGems takeover
- Why I’m not rushing to take sides in the Ruby Gems fiasco
- The RubyGems “security incident” (this was published by Arko after the RubyGems disclosure)
