As already hypothesized in the comments I'm pretty sure this was a simple account hijack. The kickball user likely cracked an old password of mine from before I was using 1password that was leaked from who knows which of the various breaches that have occurred over the years.
I released that gem years ago and barely remembered even having a rubygems account since I'm not doing much OSS work these days. I simply forgot to rotate out that old password there as a result which is definitely my bad.
Since being notified and regaining ownership of the gem I've:
1. Removed the kickball gem owner. I don't know why rubygems did not do this automatically but they did not.
2. Reset to a new strong password specific to rubygems.org (haha) with 1password and secured my account with MFA.
3. Released a new version 0.0.8 of the gem so that anyone that unfortunately installed the bogus/yanked 0.0.7 version will hopefully update to the new/real version of the gem.
There could have certainly been some of that but it didn't feel like it in the context (which I realize I didn't provide). I read the question as sincere but admit there's a chance it wasn't.
At any rate, I tried to answer him honestly with what I'd have told myself and it didn't have any bearing on the outcome one way or another.
IMO, and as you mentioned, your best bet in those early days is to rely on your network and have that insanely compelling vision with which to sell them on. I think you need a certain level of trust with people for them to be willing to bet a significant chunk of their time and such an inordinate amount of energy on your vision. Conversely no matter how much the person may love you, if your vision for the company is a giant pile of "meh" then you won't (and shouldn't) have much luck convincing them either.
I got burned by this on Heroku recently as well but to a much lesser extent $$$-wise. My app typically runs on 1 dyno because it's basically not supported anymore. At some point I must have been messing around in the interface and accidently bumped my dynos. Oops.
I personally think they should have a "WTF your load is like zero, you normally have X dynos, but you're using Y dynos for no real reason... dumbass" alert email... I certainly would have appreciated it!
As already hypothesized in the comments I'm pretty sure this was a simple account hijack. The kickball user likely cracked an old password of mine from before I was using 1password that was leaked from who knows which of the various breaches that have occurred over the years.
I released that gem years ago and barely remembered even having a rubygems account since I'm not doing much OSS work these days. I simply forgot to rotate out that old password there as a result which is definitely my bad.
Since being notified and regaining ownership of the gem I've:
1. Removed the kickball gem owner. I don't know why rubygems did not do this automatically but they did not.
2. Reset to a new strong password specific to rubygems.org (haha) with 1password and secured my account with MFA.
3. Released a new version 0.0.8 of the gem so that anyone that unfortunately installed the bogus/yanked 0.0.7 version will hopefully update to the new/real version of the gem.