GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
Source: The Hacker News
Overview
Cybersecurity researchers have identified a new campaign dubbed GemStuffer that abuses the RubyGems repository. Over 150 malicious gems are being used as a data‑exfiltration channel rather than for traditional malware distribution.
“The packages do not appear designed for mass developer compromise,” Socket noted. “Many have little or no download activity, and the payloads are repetitive, noisy, and unusually self‑contained.”
Instead of targeting developers, the scripts fetch pages from U.K. local‑government democratic services portals, package the collected responses into valid .gem archives, and publish those gems back to RubyGems using hard‑coded API keys.
RubyGems temporarily disabled new account registration after a major malicious attack. While it is unclear whether the two incidents are directly related, the application‑security company said GemStuffer follows the same abuse pattern: creating junk‑named packages to host scraped data.
[Image: RubyGems exfiltration]
How the Campaign Works
- Fetching Data – Hard‑coded URLs of U.K. council portals are accessed, and the HTTP responses are saved.
- Packaging – The responses are bundled into a valid
.gemarchive. - Publishing – The archive is pushed to RubyGems using embedded registry credentials.
Two main publishing methods have been observed:
- CLI‑based push – The malicious gem creates a temporary RubyGems credential environment under
/tmp, overrides theHOMEvariable, builds the gem locally, and pushes it using thegemcommand‑line interface. - Direct API upload – Some variants skip the CLI and upload the archive directly to the RubyGems API via an HTTP POST request.
Once the gem is published, an attacker can retrieve the scraped data with a simple:
gem fetch <gem-name> -v <version>command.
[Image: Payload illustration]
Targeted Sources
The campaign focuses on public‑facing ModernGov portals operated by the London boroughs of Lambeth, Wandsworth, and Southwark. Collected data includes:
- Committee meeting calendars
- Agenda item listings
- Linked PDF documents
- Officer contact information
- RSS feed content
All of this information is publicly accessible, but the systematic bulk collection and archival raise concerns about potential misuse.
Assessment
Socket assesses that the campaign could serve several purposes:
- Registry spam or proof‑of‑concept worm
- Automated scraper using RubyGems as a storage layer
- Deliberate test of package‑registry abuse
The mechanics are intentional: repeated gem generation, version increments, hard‑coded RubyGems credentials, direct registry pushes, and scraped data embedded inside package archives.
“It may be registry spam, a proof‑of‑concept worm, an automated scraper misusing RubyGems as a storage layer, or a deliberate test of package registry abuse,” Socket said.
References
- Socket blog post:
- The Hacker News article on RubyGems account suspension:
- RubyGems command‑line reference: