As already hypothesized in the comments I'm pretty sure this was a simple account hijack. The kickball user likely cracked an old password of mine from before I was using 1password that was leaked from who knows which of the various breaches that have occurred over the years.
I released that gem years ago and barely remembered even having a rubygems account since I'm not doing much OSS work these days. I simply forgot to rotate out that old password there as a result which is definitely my bad.
Since being notified and regaining ownership of the gem I've:
1. Removed the kickball gem owner. I don't know why rubygems did not do this automatically but they did not.
2. Reset to a new strong password specific to rubygems.org (haha) with 1password and secured my account with MFA.
3. Released a new version 0.0.8 of the gem so that anyone that unfortunately installed the bogus/yanked 0.0.7 version will hopefully update to the new/real version of the gem.
As already hypothesized in the comments I'm pretty sure this was a simple account hijack. The kickball user likely cracked an old password of mine from before I was using 1password that was leaked from who knows which of the various breaches that have occurred over the years.
I released that gem years ago and barely remembered even having a rubygems account since I'm not doing much OSS work these days. I simply forgot to rotate out that old password there as a result which is definitely my bad.
Since being notified and regaining ownership of the gem I've:
1. Removed the kickball gem owner. I don't know why rubygems did not do this automatically but they did not.
2. Reset to a new strong password specific to rubygems.org (haha) with 1password and secured my account with MFA.
3. Released a new version 0.0.8 of the gem so that anyone that unfortunately installed the bogus/yanked 0.0.7 version will hopefully update to the new/real version of the gem.