GemStuffer: Attackers Weaponize RubyGems as a Covert Data Drop for UK Gov Scraping
Ddos 
Security researchers are sounding the alarm on a highly resourceful new campaign dubbed “GemStuffer.” Uncovered by Socket’s threat research team, this operation involves more than 100 packages that exploit the RubyGems registry. However, instead of using these packages as a conventional malware distribution channel to compromise developers, the attackers are using the registry as an illicit data transport mechanism.
GemStuffer is primarily focused on scraping public-facing ModernGov portals utilized by UK councils, specifically Lambeth, Wandsworth, and Southwark.
- The malicious scripts fetch council calendar pages, agenda listings, and committee links.
- The scripts actively crawl extracted links for additional document content, pulling full agenda item listings.
- Once the data is collected, the script packages the HTTP responses into valid .gem archives and pushes them back to RubyGems using hardcoded API keys.
While the data being scraped is nominally public, the systematic bulk collection suggests the attacker might be using this access as a pivot to demonstrate their capabilities against government infrastructure.
The technical execution of GemStuffer reveals an attacker with deep, practical knowledge of the Ruby ecosystem. The malware uses several methods to achieve its goals:
- The “HOME” Override: The script creates a temporary RubyGems credential environment under /tmp and overrides the HOME environment variable so the gem CLI reads from it exclusively.
- Permission Precision: The attacker uses a File.chmod(0600, …) command on the credentials file, demonstrating awareness that the gem CLI will abort if the file has broader permissions.
- Direct API POSTs: Some variants of the malware bypass the gem CLI entirely, constructing a manual HTTP POST request and sending the archive directly to the RubyGems API.
- Encoding Evasion: The authors deliberately use File.binwrite rather than File.write to store the stolen data, which prevents Ruby’s string encoding layer from raising exceptions on non-UTF-8 content—a detail that reveals a confident, experienced Ruby developer.
GemStuffer relies heavily on the inherent trust developers place in package registries. As the report points out, “publishing a package can look indistinguishable from normal release activity”. The operation blends in by acting exactly like a normal CI/CD pipeline releasing software updates.
According to Ruby Central’s Marty Haught, RubyGems has been responding to “a coordinated spam-publishing campaign” that was limited to newly registered accounts pushing junk packages. As a result, RubyGems temporarily disabled new account registration.
Socket’s threat research team outlines several key steps to secure environments against this technique:
- Yank Identified Gems: File abuse reports with RubyGems and run gem yank commands to ensure the malicious packages are removed.
- Audit /tmp Directories: Search all potentially affected machines for anomalies like /tmp/gemhome/ or randomized directory names matching the campaign’s patterns.
- Monitor ENV[‘HOME’] Mutations: Alert on any runtime behavior where a production Ruby process redirects the HOME path to /tmp, as this is abnormal for legitimate applications.
- Block Outbound Pushes: If your CI pipelines do not legitimately publish gems, configure egress rules to block HTTPS POST requests to rubygems.org/api/v1/gems. For pipelines that do publish, enforce a strict allowlist for gem names.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
