GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
https://thehackernews.com/2026/05/gemstuffer-abuses-150-rubygems-to.html
Publish Date: 2026-05-13 04:08:00
Source Domain: thehackernews.com
Cybersecurity researchers are calling attention to a new campaign dubbed GemStuffer that has targeted the RubyGems repository with more than 150 gems that use the registry as a data exfiltration channel rather than for malware distribution.
“The packages do not appear designed for mass developer compromise,” Socket said. “Many have little or no download activity, and the payloads are repetitive, noisy, and unusually self-contained.”
“Instead, the scripts fetch pages from U.K. local government democratic services portals, package the collected responses into valid .gem archives, and publish those gems back to RubyGems using hardcoded API keys.”
The development comes as RubyGems temporarily disabled new account registration following what has been described as a major malicious attack. While it’s not clear if the two sets of activities are related, the application security company said GemStuffer fits the “same abuse pattern,” which involves using newly created packages with junk names to host the scraped data.
At a high level, the campaign abuses RubyGems as a place to stage the scraped council content. It does this by fetching hard-coded U.K. council portal URLs, packaging the HTTP responses into valid .gem archives, and publishing those archives to RubyGems using embedded registry credentials.
In some cases, the payload embedded within the gem creates a temporary RubyGems credential environment under “/tmp,” overrides the HOME environment variant, builds a gem locally, and pushes it to RubyGems using the gem command-line interface (CLI), as opposed to depending on pre-existing RubyGems credentials on the target machine.
Other variants of the malicious gems have been found to eschew the CLI component in favor of uploading the archive directly to the RubyGems API via an HTTP POST request. Once the new gems have been published, all an attacker has to do is run a “gem fetch” command with…
