Totally reads like post-facto CYA. they could have communicated this to the maintainers internally beforehand instead of blindsiding them.

The NPM breach was an email that stated the dev needed to update their MFA by the next day in order to keep their access.

If you're arguing that is what ruby central should have done, that's a social engineering attack.

	▲	mrinterweb 4 days ago \| parent \| next [-]
		How would a heads up email look like a phishing email? Blindsiding the maintainers like this is just cruel.
	▲	loloquwowndueo 4 days ago \| parent \| prev [-]
		It’s entirely possible to distinguish between legit internal communication and a phishing email. (It gets harder and harder every day but ultimately still possible)