Cybersecurity researchers have identified a malicious campaign called GemStuffer that exploits the RubyGems repository to store and distribute data scraped from various United Kingdom local government web portals.

Key Points

• The GemStuffer campaign has uploaded over 150 malicious packages to the RubyGems repository to serve as a data exfiltration channel.
• Attackers are scraping public committee meeting data, contact information, and documents from ModernGov portals used by councils like Lambeth, Wandsworth, and Southwark.
• Malicious gems use hardcoded API keys to automatically publish scraped content back to the registry via the command-line interface or direct HTTP POST requests.
• RubyGems recently disabled new account registrations following a separate major attack, though the connection to GemStuffer remains under investigation.
• The campaign demonstrates a novel abuse of package registries as a storage layer for bulk data collection rather than traditional malware distribution.

Why it Matters

This campaign highlights a significant security vulnerability where public package registries are being repurposed as unauthorized hosting platforms for scraped data. The ability to bypass standard credential requirements suggests a need for stricter registry oversight to prevent infrastructure abuse and potential pivots into government systems.