Security firm Socket identified a novel malicious campaign, dubbed GemStuffer, that abused the RubyGems public package registry as a covert data exfiltration channel rather than a malware delivery vehicle. Over 150 malicious gem packages automatically scraped data from UK local government democratic services portals — then published the collected data back into the registry as new gem archives, using the public package repository itself as a dead drop. The campaign targeted ModernGov portals operated by Lambeth, Wandsworth, and Southwark councils in London.
How GemStuffer Turned the RubyGems Registry into an Exfiltration Channel
The GemStuffer campaign’s architecture inverts the conventional threat model for malicious package attacks. In a typical supply chain attack, malicious packages are uploaded to a registry so that developers who install them inadvertently execute malicious code on their own systems. GemStuffer operates on a fundamentally different logic: the packages do not attempt to compromise anyone who installs them. Instead, the registry itself functions as infrastructure — a publicly accessible storage and retrieval system for data the campaign collected from external targets.
Socket’s analysis documented the technical mechanism driving this inversion. Packages embedded with hardcoded RubyGems API credentials automatically performed the full exfiltration cycle without requiring any human operator interaction once deployed.
Three-Step Pipeline: Scrape UK Government Portals, Package as Gems, Publish
The campaign’s operational pipeline runs in three stages. First, each malicious package fetches live pages from UK local government ModernGov democratic services portals. ModernGov is a widely deployed software platform used by UK councils to publish democratic services information: committee meeting schedules, agenda documents, planning submissions, and council officer contact information. Second, the scraped HTTP responses are converted into structurally valid .gem archive files — packaging the collected HTML and document content inside the standard format used for RubyGems packages. Third, the packages are published back to the RubyGems registry using the hardcoded API credentials embedded in the original malicious package, storing the scraped data in a location accessible to whoever holds retrieval credentials.
The repeated gem publication with incremented version numbers — standard version-bumping behavior that automated package publishers perform — and the presence of hardcoded API credentials are the primary identifiers Socket used to detect and document the campaign.
Lambeth, Wandsworth, and Southwark Councils Among Targeted Portals
The data collected from the targeted portals was publicly accessible through normal web browsing. Committee meeting calendars, agenda listings, PDF documents, council officer contact information, and RSS feeds were among the categories of content retrieved by GemStuffer packages. No non-public or restricted council data is identified in Socket’s analysis; the scraped content was the same information any member of the public could retrieve by visiting the ModernGov portals directly.
The significance of the collection lies not in the data’s immediate sensitivity but in the campaign’s use of the councils’ portals as targets and the RubyGems registry as infrastructure. Socket noted a pattern similarity between GemStuffer and the BufferZoneCorp mass upload campaign that recently forced RubyGems to suspend new package registrations, though the relationship between the two campaigns remains unclear based on current analysis.
GemStuffer vs. Traditional Supply Chain Attacks: A Distinct Threat Model
GemStuffer represents a distinct category of registry abuse that sits outside the standard supply chain attack classification. Traditional malicious package campaigns — typosquatting, dependency confusion, account takeover — are evaluated by defenders based on whether they could compromise developers or CI/CD pipelines that install the packages. GemStuffer packages pose no such risk to developers who encounter them in the registry; the packages are not designed to execute malicious code on installer machines.
The threat GemStuffer represents is directed at the registry platform itself and at the external targets being scraped. By treating a public package registry as persistent storage for collected data, the campaign demonstrates a technique that bypasses data loss prevention tools and network monitoring systems not configured to inspect outbound package publishing activity — an operational channel that has historically received less security scrutiny than inbound package installation.
The campaign also demonstrates that public infrastructure with write-access APIs — package registries, code hosting platforms, and similar services — can function as exfiltration channels even when the nominal security concern for those platforms centers on malicious content delivery rather than data storage.
