Cybersecurity researchers said a campaign called GemStuffer has abused more than 150 RubyGems packages to store scraped data from public U.K. local government sites, turning the registry into a data exfiltration channel rather than a malware delivery system.
KEY FACTS
- Scale More than 150 gems were tied to the campaign.
- Method The packages fetched council portal pages, packaged the responses, and published them to RubyGems.
- Targets Public ModernGov portals used by Lambeth, Wandsworth, and Southwark were among those hit.
- Data The collected material included meeting calendars, agenda listings, PDFs, contact details, and RSS feeds.
A technical analysis from Socket said the packages were repetitive, noisy, and often had little or no download activity. The report said the scripts used hardcoded U.K. council portal URLs and embedded RubyGems credentials to publish valid .gem archives back to the registry.
Some variants created a temporary RubyGems credential environment under /tmp, overrode the HOME environment variable, built a gem locally, and pushed it with the gem command-line tool. Other variants uploaded the archive directly to the RubyGems API with an HTTP POST request.
Once published, the gems could be fetched by name and version to retrieve the scraped data. The disclosure said it was not clear whether the goal was registry spam, a proof of concept worm, a scraper using RubyGems as storage, or a test of package registry abuse.
The campaign emerged as RubyGems temporarily disabled new account registration after what it described as a major malicious attack. The article said it was not clear whether the two events were related.
WHY IT MATTERS
The case shows how a public package registry can be used to stage and retrieve scraped material, even when the underlying data is already public. It also highlights how package abuse can blur the line between storage, spam, and more active malicious use.