Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tea.xyz spam packages impact blog post #187

Merged
merged 5 commits into from
Apr 17, 2024
Merged
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
title: The Implications of Crypto Rewards on RubyGems.org
layout: post
author: Maciej Mensfeld
author_email: [email protected]
---

Recently, at [RubyGems.org](https://rubygems.org/), we've encountered an unusual surge of empty packages, triggering an investigation by our team. This influx of pointless gems, referencing one of the reasonably popular packages, hinted at an attempt to manipulate the `tea.xyz` protocol. As with any potentially risky incident, we delved deeper into the motives and mechanics behind these submissions. This short article contains our investigation, the conclusions we've reached, and how, theoretically, individuals looking to abuse the system can distort the idea of rewarding OSS contributions.

## `tea.xyz` Trigger

The `tea.xyz` cryptocurrency creators claim that it came to life to enhance the sustainability of open-source software by rewarding projects based on their influence in the software ecosystem. It claims to utilize a 'Proof of Contribution' system, inspired by Google's PageRank, to measure the impact of various OSS packages.

## The Unintended Consequences

However, good intentions often come with challenges. At RubyGems.org, we began noticing a strange trend: the proliferation of empty gems. These gems weren't harmful per se but were peculiar in their consistent reference to a mildly popular OSS package.

## Investigating the Anomalies

As with any deviation in the ecosystem, we began an investigation. We considered multiple scenarios:

- A spam attack to overwhelm our system.
- A cover for malicious activities.
- A scheme to manipulate tea.xyz ranking system.

What struck us was that many of these gems were published under account with otherwise legitimate packages.

Digging deeper, we discovered that these accounts linked to a gem with over 100,000 downloads, which had its GitHub source changed after six years to include a `tea.yaml` file. This was a moment in our investigation that suggested the activities were aimed at exploiting the tea.xyz protocol rather than harming our ecosystem.

## Addressing the Issue

This realization led us to tighten our gem publishing limitations and increase monitoring for non-malicious but unexpected user behaviors. During the cleanup, we had minor delays in gem index updates; however, it was temporary. We also took strict action against accounts solely created for spamming, ensuring they didn't disrupt the community further.
mensfeld marked this conversation as resolved.
Show resolved Hide resolved

## Conclusion and Appeal

While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems.org and other platforms, as detailed in [this](https://www.web3isgoinggreat.com/?id=teaxyz-spam) article. At RubyGems.org, we've encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems.org and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report.
mensfeld marked this conversation as resolved.
Show resolved Hide resolved
mensfeld marked this conversation as resolved.
Show resolved Hide resolved
mensfeld marked this conversation as resolved.
Show resolved Hide resolved