A bug allowed anyone to yank certain gems and upload different files with the same name, same version number, and different platform. To verify your own app, check your Gemfile.lock history for changes that keep the same name and version number but add or change a platform. We have patched the bug, and found no malicious code uploaded using this vulnerability in the last 18 months of gem yanks and pushes.
The investigation is done, they’ve concluded the vulnerability was not abused: https://www.whitesourcesoftware.com/resources/blog/impact-analysis-rubygems-critical-cve-2022-29176-unauthorized-package-takeover/
Related links:
The “tl;dr” section from the advisory: