A new threat campaign is using RubyGems as a dead drop to store exfiltrated data, with the attackers publishing more than 100 gems that appear to use the RubyGems registry as a data transport mechanism rather than a malware distribution channel.
According to Socket, the scripts within the packages fetch public-facing information from UK local government portals in Lambeth, Wandsworth and Southwark, scraping calendar pages, agenda listings, committee links and similar data, which is then published back to RubyGems as .gem archives via hardcoded API keys.
The campaign is notable for its use of automated tooling to repeatedly generate gems and push data, with some samples creating a temporary RubyGems credential environment under /tmp and even pushing a gem to rubygems[.]org, while others bypass the gem CLI entirely and POST the archive directly to the RubyGems API. Feross Aboukhadijeh, founder and CEO of Socket, described the technique as clever but “noisy,” and he noted that the activity may be testing or spam rather than a mature operation designed to stay hidden.
The long-term objective remains unclear, but researchers emphasise that RubyGems should not be implicitly trusted and advise organisations to audit /tmp, identify delivery vectors, and tighten publishing workflows to prevent abuse.