Researchers at Socket discovered a campaign called GemStuffer, in which more than 150 packages were uploaded to the RubyGems repository with an unusual goal — to use the package registry not to distribute malicious code to developers, but as a channel for storing and retrieving data collected from UK local government portals. The campaign affects both the RubyGems ecosystem as a whole and operators of public portals built on the ModernGov platform, although the attackers’ ultimate objectives remain unclear.

Mechanics of the attack: registry as storage

According to the researchers, the GemStuffer packages were not designed for large-scale compromise of developers. Many of them had virtually no downloads, and the payload is described as repetitive, noisy and unusually self-contained. Instead of implanting backdoors or stealing credentials, the scripts inside the packages performed a completely different task:

• Downloaded pages from hard-coded URLs of UK municipal council portals
• Packaged the resulting HTTP responses into valid .gem archives
• Published these archives back to RubyGems using registry API keys embedded in the code

The researchers identified two implementation variants. In the first, the payload created a temporary environment with RubyGems credentials in the /tmp directory, overrode the HOME environment variable, built the package locally, and sent it via the gem command-line interface. In the second, the archive was uploaded directly to the RubyGems API via an HTTP POST request, bypassing the CLI. After publication, to retrieve the scraped data it was enough to run the gem fetch command specifying the package name and version.

This approach turns a public package registry into a kind of cloud storage that can be read without authentication. This is fundamentally different from typical software supply chain attacks, where malicious packages are designed to be installed by victims.

Targeted data and unclear motives

The campaign reportedly targeted public portals of the ModernGov system used by the municipal councils of Lambeth, Wandsworth and Southwark — London boroughs. The collected information included:

• Committee meeting calendars
• Lists of agenda items
• Associated PDF documents
• Contact details of officials
• Contents of RSS feeds

Notably, all of this information is already publicly available on the municipalities’ portals. This makes the ultimate goal of the campaign unclear. Socket suggests several possible interpretations: registry spam, a worm prototype, an automated scraper abusing RubyGems as a storage layer, or deliberate testing of how package registries can be abused.

Connection with the RubyGems incident

The GemStuffer campaign was discovered against the backdrop of RubyGems temporarily disabling new account registrations after a large-scale malicious attack. A direct link between these events has not been confirmed, but Socket notes that GemStuffer fits into the same abuse pattern — creating new packages with nonsensical names to host data. It should be noted that no official confirmation from RubyGems about a connection between these incidents is provided in the available sources.

Impact assessment

The direct threat to developers using RubyGems is minimal in this case — the packages are not intended to be installed into projects and do not contain traditional malicious code. However, the precedent itself highlights a serious issue: package registries can be used as infrastructure for operations unrelated to software distribution. This burdens moderation, clutters the registry and can potentially undermine trust in the ecosystem.

For ModernGov portal operators, systematic collection of public data is not in itself a compromise, but it may indicate reconnaissance activity — especially regarding officials’ contact details.

Recommendations

• Administrators managing RubyGems dependencies: check whether any unknown packages with nonsensical names and minimal download counts have appeared in your projects’ dependencies. Use dependency analysis tools to detect anomalous packages.
• ModernGov portal operators: analyze web server logs for systematic automated requests to pages with meetings, agendas and contact information. Consider implementing rate limiting to protect against large-scale scraping.
• Security teams of package registries: this incident underscores the need to monitor not only malicious package contents but also anomalous publication patterns — mass generation of packages with incrementing versions and embedded credentials.
• RubyGems API key owners: ensure that your keys have not been compromised. Rotate keys if you suspect a leak, and enable two-factor authentication for publishing packages.

The GemStuffer campaign is an atypical case of abusing a package registry, where RubyGems is used not as an attack vector against developers but as free data storage infrastructure. Whether this is a proof-of-concept test or part of a larger operation, the incident points to the need to expand threat detection models in package ecosystems beyond traditional malware scanning to include analysis of publication behavior patterns and package contents.