GemStuffer Campaign Abuses RubyGems as Exfiltration Channel ...
15-May-2026 175
GemStuffer abuses RubyGems as an exfiltration channel, packaging scraped UK council portal data into junk gems published from new accounts.Socket's threat research team is tracking a suspicious RubyGems campaign we’re calling GemStuffer, involving more than 100 gems that appear to use the RubyGems registry as a data transport mechanism rather than a conventional malware distribution channel.
The packages do not appear designed for mass developer compromise. Many have little or no download activity, and the payloads are repetitive, noisy, and unusually self-contained. Instead, the scripts fetch pages from UK local government democratic services portals, package the collected responses into valid .gem archives, and publish those gems back to RubyGems using hardcoded API keys. In some samples, the payload creates a temporary RubyGems credential environment under /tmp, overrides HOME, builds a gem locally, and pushes it to rubygems.org. Other variants skip the gem CLI entirely and POST the archive directly to the RubyGems API.
GemStuffer Campaign Abuses RubyGems as Exfiltration Channel ... #ruby #rubydeveloper #rubyonrails #GemStuffer #Campaign #Abuses #RubyGems #Exfiltration #Channel #gemstuffer https://rubyonrails.ba/link/gemstuffer-campaign-abuses-rubygems-as-exfiltration-channel