socket - TrustStrike Labs

threat

2026-05-14

GemStuffer campaign turned RubyGems into a clandestine data drop - 150+ malicious gems hid scraped UK council portal pages inside Ruby packages

Socket researchers found more than 150 RubyGems packages doing something the registry was never built to do: smuggling scraped data out of UK council websites. The malicious gems fetch pages from Lambeth, Wandsworth, and Southwark's public meeting portals, bundle the responses into a normal-looking .gem archive, and push it back to RubyGems using a hardcoded API key. The attacker then downloads the data as a public gem version. Whether GemStuffer is registry spam, a worm being tested, or a deliberate trial of package-registry abuse, the mechanics are intentional - and it landed the same week RubyGems froze new account signups over a separate flood of malicious packages.

rubygems gemstuffer supply-chain data-exfiltration socket uk-government package-registry-abuse

Check: Search dependency manifests and gem caches for gems published from newly registered RubyGems accounts in May 2026 with junk names, and review outbound traffic from CI runners for connections to council .gov.uk subdomains.
Affected: Any developer workstation, CI agent, or container image that allows arbitrary outbound gem installs from rubygems.org. UK local government portals (Lambeth, Wandsworth, Southwark) had public pages scraped through this channel.
Fix: Restrict gem installs to internal mirrors with allowlists, block outbound HTTP to council .gov.uk domains from build agents, and use Socket's published GemStuffer indicators to block known malicious gems.

threat

2026-05-01

Attackers poisoned 60+ Ruby gems and Go modules, then waited for CI pipelines to install them and steal credentials

Socket disclosed a fresh wave of supply-chain attacks targeting Ruby gems and Go modules: more than 60 typosquatted packages were uploaded to RubyGems and the Go module registry, designed to look like legitimate dependencies developers might pull into a CI pipeline. Once installed, the packages exfiltrate environment variables (which typically include AWS keys, GitHub tokens, and database credentials in CI environments) to attacker-controlled servers. The targeting is deliberate: typosquats picked names close to popular gems and Go libraries. This is the same operational pattern as the SAP npm compromise covered Wednesday, but targeting Ruby and Go ecosystems.

ruby-gems go-modules supply-chain typosquatting ci-pipelines credential-theft socket ecosystem-expansion

Check: Review your CI pipelines for any Ruby gem or Go module added in the past month, and confirm every package name matches the canonical upstream exactly.
Affected: Any organization running CI/CD pipelines that install Ruby gems or Go modules without strict pinning. Particularly acute for organizations with broad CI environment variables (AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, DATABASE_URL exposed to install scripts). Developer workstations are also exposed when developers run 'gem install' or 'go get' without verifying package names.
Fix: Pin every Ruby gem and Go module to specific versions and verify the upstream name matches. Move CI secrets out of environment variables and into ephemeral credential providers (OIDC for AWS, GitHub's masked secrets, Hashicorp Vault). Review CI logs for installs of packages whose names look like typosquats. Use Socket, Snyk, or equivalent tools to flag suspicious packages before install.

threat

2026-04-25

Attackers planted 73 fake VS Code extensions on Open VSX as 'sleepers' that pretended to be popular tools, then quietly turned malicious

Socket reported 73 newly identified malicious extensions on Open VSX, the marketplace used by VS Code, Cursor, and Windsurf editors. The extensions impersonate popular developer tools - same name, same icon, but published by newly-created GitHub accounts with empty repositories. Instead of being malicious from day one, they sit harmlessly for weeks gathering downloads and trust, then push a 'normal' update that silently installs malware. Six of the 73 extensions have already activated; the rest are still in the sleeper phase. The campaign is part of GlassWorm, an ongoing supply-chain attack family that has been working its way through npm, GitHub, and editor extension marketplaces since 2025.

glassworm open-vsx vs-code cursor windsurf sleeper-extensions supply-chain socket developer-tools impersonation

Check: Check every developer machine and CI runner for editor extensions, verify each publisher matches the official one, and remove anything you can't account for.
Affected: Developers using VS Code, Cursor, Windsurf, or other Open VSX-compatible editors who installed extensions in the past two months. Particularly risky if your team installs popular extensions by name without checking publisher namespace, or auto-updates extensions without review. Sleeper extensions look identical to legitimate ones, so visual checks alone are insufficient.
Fix: List installed extensions in each editor and cross-check the publisher against the legitimate one (microsoft.* for Microsoft tools, the original project's GitHub for others). Remove any with newly-created publishers or mismatched namespaces. Disable auto-update on extensions in higher-risk environments. Allowlist approved extensions in managed dev environments. Socket's GlassWorm v2 page tracks the 73 by name.