GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
A campaign dubbed GemStuffer has abused the RubyGems registry with over 150 gems to exfiltrate scraped data from U.K. council portals, using the package repository as a storage channel rather than for malware distribution.
Cybersecurity researchers at Socket have uncovered a novel campaign dubbed GemStuffer that has abused the RubyGems registry with more than 150 malicious packages. Unlike typical supply-chain attacks that aim to compromise developer machines, GemStuffer uses the registry itself as a data as an exfiltration channel. The packages fetch pages from U.K. local government democratic services portals, package the scraped content into valid .gem archives, and publish them back to RubyGems using hardcoded API keys.
The attack specifically targets public-facing ModernGov portals from Lambeth, Wandsworth, and Southwark councils that run on ModernGov software. The scraped data includes committee meeting calendars, agenda item listings, linked PDF documents, officer contact information, and RSS feed content. Socket noted that the information appears to be publicly accessible anyway, making the attacker's end goals unclear.
Technically, the gems fetch hard-coded council portal URLs via HTTP requests, then package the responses into .gem archives. In some variants, the payload creates a temporary RubyGems credential environment under /tmp, overrides the HOME environment variable, builds a gem locally, and pushes it using the gem command-line interface. Other variants upload the archive directly to the RubyGems API via an HTTP POST request, bypassing the CLI entirely.
Once published, an attacker can retrieve the scraped data simply by running a 'gem fetch' command with the gem name and version. The campaign does not appear designed for mass developer compromise — many gems have little or no download activity, and the payloads are repetitive and self-contained. Instead, the registry is being used as a storage layer for exfiltrated data.
The discovery comes as RubyGems temporarily disabled new account registration following what has been described as a major malicious attack. While it is not clear if the two sets of activities are directly related, Socket said GemStuffer fits the same abuse pattern: using newly created packages with junk names to host scraped data.
Socket assessed that the systematic bulk collection and archival of this data raises the possibility that the attacker may be leveraging council portal access as a pivot to demonstrate capability against government infrastructure. The researchers noted that the mechanics are intentional: repeated gem generation, version increments, hardcoded credentials, direct registry pushes, and scraped data embedded inside package archives.
"It may be registry spam, a proof-of-concept worm, an automated scraper misusing RubyGems as a storage layer, or a deliberate test of package registry abuse," Socket said. The incident highlights a growing trend of attackers repurposing legitimate infrastructure — in this case, a package registry — for data exfiltration, bypassing, bypassing traditional network monitoring tools that might not flag registry traffic as suspicious.