CYBERSECURITY researchers have highlighted a campaign dubbed GemStuffer that targeted the RubyGems repository with more than 150 gems acting as data exfiltration channels rather than for malware distribution. The campaign purportedly fetches pages from U.K. local government democratic services portals, packages the scraped content into valid .gem archives, and publishes them back to RubyGems using hardcoded API keys, according to Socket.
The targets include public-facing ModernGov portals used by Lambeth, Wandsworth, and Southwark, with the attacker aiming to collect committee meeting calendars, agenda item listings, linked PDFs, officer contact details and RSS content. In some variants, the payload creates a temporary RubyGems credential environment, builds a gem locally or uses the gem CLI to push the archive to RubyGems, while other variants upload directly via the RubyGems API and require a simple gem fetch to retrieve the data.
Socket described the activity as an apparent abuse of the registry, noting the repetitive, noisy payloads and the use of embedded credentials. The story comes as RubyGems reportedly suspended new account registrations after a major malicious attack, a development possibly connected to this broader registry abuse pattern.