GemStuffer Campaign Abuses RubyGems as Dead Drop for Exfiltrated Data
Socket Research uncovers 'GemStuffer,' a campaign using RubyGems to store scraped UK government data, eliminating the need for a C2 server.
Socket Research has identified a novel threat campaign dubbed 'GemStuffer' that weaponizes the RubyGems package registry as a dead drop for exfiltrated data. Unlike typical supply chain attacks that distribute malware, this campaign uses RubyGems as a data transport mechanism, storing scraped information within .gem archives. The attacker published over 100 gems containing scripts that scrape public-facing data from UK local government portals in Lambeth, Wandsworth, and Southwark districts, then push the data back to RubyGems using hardcoded API keys.
The technical mechanism is straightforward yet innovative. The scripts within the packages fetch council calendar pages, agenda listings, and committee links, then package the scraped data into .gem archives. Some variants create a temporary RubyGems credential environment under /tmp, override HOME, build a gem locally, and push it to rubygems.org. Others skip the gem CLI entirely and POST the archive directly to the RubyGems API. The attacker later downloads the package to extract the data, eliminating the need for a command-and-control (C2) server.
The campaign's impact is currently limited, as none of the 155-plus compromised packages have seen significant downloads. However, the technique demonstrates a dangerous abuse of package registries for data exfiltration. The motivation remains unclear—it could be registry spam, a proof-of-concept worm, an automated scraper misusing RubyGems as a storage layer, or a deliberate test of package registry abuse. Socket noted that the activity coincided with a coordinated spam-publishing campaign against RubyGems, though no direct link was established.
Response from the security community has been cautious. Feross Aboukhadijeh, founder and CEO of Socket, described the technique as clever but 'noisy,' suggesting it may be testing or automation rather than a mature operation. He emphasized that the business risk lies less in these specific junk gems and more in what the behavior may be testing. Defenders should monitor publishing activity, not just installation, and lock down CI pipelines to prevent unauthorized gem pushes.
For developers, Socket urged caution and provided mitigation steps: audit the /tmp folder on potentially affected machines, identify the delivery vector if a package is present, and block outbound gem pushes in CI pipelines that do not publish gems. The campaign serves as a reminder that software package registries should not be implicitly trusted, as they can be abused for data transport rather than malware distribution.
This discovery fits a broader pattern of supply chain attacks exploiting package ecosystems. Recent campaigns have targeted npm, PyPI, and Packagist with worm-like behaviors. GemStuffer adds a new dimension by using registries as dead drops, highlighting the need for security teams to monitor both installation and publishing activities. As Aboukhadijeh noted, 'Security teams often focus on what packages developers install, but publishing activity needs attention too.'