GemStuffer hides U.K. council data in 150+ RubyGems

Researchers at application security firm Socket identified a campaign they call GemStuffer that published over 150 RubyGems containing scraped content from U.K. ModernGov council portals. The embedded records included meeting calendars, agenda items, linked PDF documents and officer contact details.

The packages wrapped HTTP responses from council portal pages inside valid .gem archives and pushed those archives to the RubyGems registry using hardcoded RubyGems API credentials. The activity targeted public-facing ModernGov portals used by Lambeth, Wandsworth and Southwark.

Socket’s technical analysis found multiple variants in the publishing workflow. Some packages fetch hard-coded council URLs, create a temporary credential environment under /tmp, override the HOME environment variable, build a gem locally and invoke the gem command-line interface to publish. Other variants skip the CLI and upload the .gem archive directly to the RubyGems API with an HTTP POST request. In all observed cases, registry credentials were embedded in the code used to publish the packages.

Once a gem is published, anyone with the gem name and version can retrieve the archived content by running gem fetch, effectively making the registry a publicly indexed storage point for the scraped records. The packages generally used junk names, repeated version increments, showed little download activity and contained repetitive, self-contained payloads.

Socket researchers wrote, “The packages do not appear designed for mass developer compromise.” The firm described the activity as systematic and listed several possible explanations, including registry spam, an automated scraper misusing RubyGems as a storage layer, a proof-of-concept worm, or a deliberate test of package registry abuse.

RubyGems temporarily disabled new account registration after what was reported as a major malicious attack on the service; Socket researchers have not confirmed a direct link between that incident and GemStuffer.

Socket removed or reported many of the offending packages and urged registry operators to monitor for junk names, repeated version bumps and unexpected publishing behavior. The firm also recommended limiting embedded credentials and strengthening controls for programmatic publishing.

The campaign used the RubyGems repository as a storage channel for scraped public records rather than as a mechanism to deploy malware to developer systems.