GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government

Socket's threat research team has been investigating a dubious campaign dubbed "GemStuffer" that utilizes the RubyGems registry as a data transport mechanism rather than for traditional malware distribution. The campaign involves over 100 RubyGems packages, which are not aimed at mass developer compromise, as evidenced by their low download counts and repetitive payloads. These packages collect data from UK local government portals and encapsulate it within .gem archives before publishing them back to RubyGems using hardcoded API keys. This operation appears to exploit public-facing portals used by councils such as Lambeth, Wandsworth, and Southwark, gathering data like council calendars and public meeting content, which complicates its classification as either a spam campaign, a proof-of-concept worm, or package registry abuse. RubyGems has responded by disabling new account registrations and enhancing spam detection measures, as no existing packages or accounts were compromised. The campaign highlights the potential for misuse of trusted package registries to store and transport scraped data, underscoring the need for vigilant monitoring of such platforms.