GemStuffer Campaign: 150+ RubyGems Abused for U.K. Council Data Exfiltration

Cybersecurity researchers have identified a sophisticated campaign dubbed "GemStuffer" that has compromised the RubyGems package repository with over 150 malicious gems designed to exfiltrate scraped data from U.K. local government portals. According to security firm Socket, the attack vector differs significantly from typical supply chain attacks—the packages are not engineered for mass developer compromise but instead abuse RubyGems as a covert storage and exfiltration channel. The malicious gems fetch pages from U.K. council democratic services portals, package the collected responses into valid .gem archives, and republish them to RubyGems using hardcoded API credentials.

The campaign specifically targets public-facing ModernGov portals used by Lambeth, Wandsworth, and Southwark councils, collecting committee meeting calendars, agenda item listings, linked PDF documents, officer contact information, and RSS feed content. Technical analysis reveals that some variants create temporary RubyGems credential environments under "/tmp," override the HOME environment variable, build gems locally, and push them to the registry using the gem command-line interface. Other variants bypass the CLI entirely, uploading archives directly via HTTP POST requests to the RubyGems API. Researchers note the payloads are "repetitive, noisy, and unusually self-contained," with many gems showing little to no download activity.

RubyGems has temporarily disabled new account registration following the attack, though it's unclear if this directly relates to GemStuffer. Socket assesses that the systematic bulk collection raises concerns about potential pivoting from council portal access to broader government infrastructure targeting. The attackers may be demonstrating capability against government systems, testing package registry abuse as a proof-of-concept, or simply misusing the registry as an unauthorized storage layer. Organizations should monitor their RubyGems dependencies for suspicious activity and consider using tools like DNS leak test to verify no unauthorized communications are originating from development environments. To protect against similar supply chain threats, developers can use privacy checkup tools and ensure their CI/CD pipelines aren't exposing sensitive credentials. For further verification of infrastructure security, a port scanner can help identify any unauthorized access points that may result from such compromises.