Cybersecurity researchers have uncovered a unique campaign, **GemStuffer**, targeting the **RubyGems** repository. Unlike typical attacks aimed at mass developer compromise through malware, this campaign utilizes the platform as a data exfiltration channel. ### Unusual Activity According to **Socket**, the packages involved don't seem designed for widespread compromise. Many exhibit little to no download activity, and their payloads are repetitive and self-contained. Instead, these gems fetch pages from U.K. local government democratic services portals, package the collected responses into valid .gem archives, and then publish them back to RubyGems using hardcoded API keys. ### RubyGems Under Scrutiny This development coincides with **RubyGems** temporarily disabling new account registrations following a major malicious attack. While a direct link between the two events remains unconfirmed, Socket notes that GemStuffer exhibits a similar abuse pattern, involving the use of newly created packages with junk names to host scraped data. ### Technical Details The attack works by scraping content from hard-coded U.K. council portal URLs. The HTTP responses are then packaged into valid .gem archives and uploaded to **RubyGems** using embedded registry credentials. In some instances, the malicious gem creates a temporary **RubyGems** credential environment, overrides the HOME environment variable, builds a gem locally, and pushes it to **RubyGems** using the `gem` command-line interface (CLI). Other variants bypass the CLI, opting instead to upload the archive directly to the **RubyGems** API via an HTTP POST request. Once published, attackers can access the scraped data by running a `gem fetch` command with the gem name and version.  ### Target: UK Council Portals The scraping campaign targets public-facing ModernGov portals used by councils such as Lambeth, Wandsworth, and Southwark. The aim is to collect committee meeting calendars, agenda item listings, linked PDF documents, officer contact information, and RSS feed content. The ultimate goal remains unclear, especially since the information is publicly accessible.  ### Potential Motives **Socket** suggests the systematic collection and archival of this data could be a demonstration of capability against government infrastructure. Other possibilities include registry spam, a proof-of-concept worm, an automated scraper misusing **RubyGems** as a storage layer, or a deliberate test of package registry abuse. Regardless, the mechanics indicate intentionality: repeated gem generation, version increments, hardcoded **RubyGems** credentials, direct registry pushes, and scraped data embedded inside package archives.