GemStuffer — RubyGems registry weaponised as one-way exfiltration channel scraping UK local-authority ModernGov portals; new abuse pattern exploiting CI/CD inbound-monitoring blind spot

Socket's Threat Research Team disclosed on 2026-05-13 a campaign it dubs GemStuffer, in which 155+ malicious Ruby packages were published to the public RubyGems registry — not as a malware-delivery vehicle but as a covert one-way data-exfiltration channel (Socket, 2026-05-13; The Hacker News, 2026-05-13). The technique is new enough to warrant a defender's attention regardless of jurisdiction: a public package registry's push API has hitherto been monitored for malware distribution, not for outbound data leakage. Socket notes RubyGems temporarily disabled new account registration in connection with the broader account-abuse pattern that GemStuffer is part of.

Attack-chain steps as reported by Socket: (1) reconnaissance of the execution environment to confirm gem CLI presence and writeable temp space; (2) HTTP scraping of UK local-government democratic-services portals running ModernGov — Lambeth, Wandsworth and Southwark councils — using Ruby's stdlib Net::HTTP with SSL verification suppressed; (3) packaging of scraped HTML responses (committee calendars, agenda items, officer contact data, linked PDFs) into syntactically valid .gem archives with the captured data placed in lib/result.txt or in README fields; (4) credential injection — three OAuth-format RubyGems API keys hard-coded as plaintext in the payloads, with ENV['HOME'] overridden to an attacker-controlled /tmp/gemhome/ directory containing fabricated .gem/credentials files (permissions 0600) so the CLI's credential lookup resolves to attacker values without touching the operator's real home directory; (5) exfiltration via gem push to the RubyGems API.

The scraped data is itself public (council democratic-services portals are by design public), so the operational significance is not the confidentiality of the data but the channel pattern. Socket flagged the possibility that "council portal access as a pivot to demonstrate capability against government infrastructure" is the actual objective. The defender-critical generalisation: most CI/CD pipeline monitoring instruments npm install / bundle install / pip install inbound; few instrument outbound npm publish / gem push / pip upload from non-publisher contexts. Analyst-derived ATT&CK mapping for the chain (not cited in Socket's write-up): T1583.001 Domains (registry abuse), T1027 Obfuscated Files (data embedded inside .gem structure), T1567.004 Exfiltration to Web Service, T1552.001 Credentials In Files (hard-coded API keys).

Detection priorities for any organisation with Ruby tool-chains in its development surface: (a) audit gem push and bundle exec gem push invocations from CI runners and developer workstations that do not have a publish role assigned; (b) flag new RubyGems publisher accounts with high version churn (>10 versions/day on a freshly created package); (c) inspect outbound HTTPS POST traffic from build agents to rubygems.org (POST = publish, GET = read); (d) extend the same lens to npm publish and pip upload. The asymmetric-monitoring-gap pattern generalises trivially across registries; the GemStuffer write-up is the lever for security teams to fund that monitoring asymmetry now rather than after a CH/EU-equivalent variant lands. RubyGems' temporary signup suspension is signal that the registry operator already considers this a structural rather than a single-actor problem.