GemStuffer campaign turned RubyGems into a clandestine data drop - 150+ malicious gems hid scraped UK council portal pages inside Ruby packages

Socket researchers found more than 150 RubyGems packages doing something the registry was never built to do: smuggling scraped data out of UK council websites. The malicious gems fetch pages from Lambeth, Wandsworth, and Southwark's public meeting portals, bundle the responses into a normal-looking .gem archive, and push it back to RubyGems using a hardcoded API key. The attacker then downloads the data as a public gem version. Whether GemStuffer is registry spam, a worm being tested, or a deliberate trial of package-registry abuse, the mechanics are intentional - and it landed the same week RubyGems froze new account signups over a separate flood of malicious packages.

Check

Search dependency manifests and gem caches for gems published from newly registered RubyGems accounts in May 2026 with junk names, and review outbound traffic from CI runners for connections to council .gov.uk subdomains.

Affected

Any developer workstation, CI agent, or container image that allows arbitrary outbound gem installs from rubygems.org. UK local government portals (Lambeth, Wandsworth, Southwark) had public pages scraped through this channel.

Fix

Restrict gem installs to internal mirrors with allowlists, block outbound HTTP to council .gov.uk domains from build agents, and use Socket's published GemStuffer indicators to block known malicious gems.