New "GemStuffer" Campaign Exploits RubyGems Registry to Steal Scraped UK Council Data

Breaking: Over 150 Malicious RubyGems Found Exfiltrating UK Council Portal Data

Cybersecurity researchers have uncovered a sophisticated campaign, dubbed GemStuffer, that deployed more than 150 malicious packages on the RubyGems repository. Unlike typical supply chain attacks, these gems do not distribute malware but instead use the registry as a channel to exfiltrate scraped data from UK council portals.

“The packages do not appear designed for mass developer compromise,” said a spokesperson from Socket, the security firm that identified the campaign. “Many have little or no download activity, and the payloads are repetitive, yet their intent is clear—data theft via a trusted platform.”

Socket’s analysis reveals that the gems contain scripts that harvest information previously scraped from multiple UK local government websites. The exfiltrated data includes personal details such as names, addresses, and council tax records, which are then sent to external servers controlled by the attackers.

How GemStuffer Operates

The campaign uses a low-and-slow approach, avoiding detection by keeping download numbers low. Each gem contains repetitive payloads that activate only when installed in specific environments, making them unlikely to affect typical development workflows.

Socket researchers note that the gems were uploaded over several months, with many sharing similar code structures. “It’s a deliberate attempt to blend in with legitimate packages while quietly siphoning sensitive data,” the spokesperson added.

Background: Why RubyGems?

RubyGems is a critical part of the Ruby ecosystem, used by thousands of developers worldwide to share libraries and tools. Its open nature makes it a prime target for malicious actors, but GemStuffer marks a shift from traditional malware delivery to data exfiltration.

The UK council portals targeted are public-facing sites that aggregate property and personal information. Scraping such data is legal in many cases, but using it without authorization—especially via a component registry—raises serious privacy and security concerns.

This incident follows a pattern of growing abuse in package registries, including PyPI and npm, where attackers leverage trust in open-source ecosystems for malicious ends.

What This Means for Developers and Organizations

For developers using RubyGems, the campaign underscores the need for stringent package vetting. Even if a gem is not widely downloaded, it can still be a vector for data theft if installed in a sensitive environment.

Organizations relying on Ruby dependencies should review their Gemfile.lock for any of the flagged packages and monitor network traffic for unexpected outbound connections. Socket has released a list of all 150+ malicious gems, advising immediate removal.

“This isn’t a typical supply chain attack—it’s a quiet, persistent exfiltration operation,” the spokesperson emphasized. “The real risk lies in assuming that low popularity equates to safety.”

Security experts recommend using automated tools to scan for suspicious packages and implementing strict registry access controls. The UK’s National Cyber Security Centre has been alerted and is investigating the scraped data’s origin.

Immediate Steps to Take

• Run a full audit of all RubyGems in your projects and cross-reference them Socket’s advisory.
• Enable two-factor authentication on your RubyGems account to prevent unauthorised uploads.
• Monitor outbound traffic from any server that processes Ruby dependencies.

Update: This is a developing story. More details on the specific councils affected are expected in the coming days.