thehackernews.com web signal

GemStuffer turns RubyGems into UK council data pipe

cybersecurity open source cybersecurity supply-chain

Key insights

  • GemStuffer used 150+ RubyGems packages purely as a data pipe, requiring no developer installs for exfiltration to succeed.
  • Hardcoded API keys inside malicious gems authenticated re-upload of scraped UK council data back to RubyGems.
  • Targeted portals span Lambeth, Wandsworth, and Southwark councils, harvesting agenda and committee records.

Why this matters

Security tooling built around supply chain threats assumes the attack path runs through developer installs -- GemStuffer invalidates that assumption entirely, meaning existing SCA and dependency-scanning tools offer no detection coverage for this class of abuse. Package registries now have to be treated as potential exfiltration infrastructure, a monitoring problem they were not designed to solve and one that sits outside the current threat models of most AppSec programs. For AI and data pipeline teams increasingly pulling open-source packages at scale, the implication is that a compromised registry account or malicious gem can exfiltrate internal data without ever touching a production environment.

Summary

GemStuffer weaponized over 150 malicious packages on RubyGems not to infect developers but to use the registry itself as a covert exfiltration channel -- a novel abuse of open-source infrastructure. The gems scrape public democratic services portals across three London boroughs -- Lambeth, Wandsworth, and Southwark -- harvesting council agenda and committee data. That data gets bundled into valid .gem archives using hardcoded API keys, then republished back to RubyGems. No developer ever needs to install the packages for the exfiltration to succeed. Essentially: (GemStuffer operators, RubyGems) the campaign treats a trusted package registry as a data transport layer rather than a malware distribution vector. - 150+ malicious gems scraped publicly accessible UK local government portals across three boroughs - Hardcoded API keys inside each package authenticated re-upload of harvested council data back to the registry - The attack requires zero victim installs -- the registry alone is the exfiltration medium This separates supply chain risk into two distinct threat models: one where attackers target developers who install packages, and one where the registry infrastructure itself is the weapon.

Potential risks and opportunities

Risks

  • UK local councils (Lambeth, Wandsworth, Southwark) face ICO scrutiny and potential fines if scraped committee data contained personal details, even if the portals were technically public
  • Security teams relying on network-layer DLP tools will miss copycat campaigns since all traffic flows through legitimate RubyGems infrastructure with no anomalous endpoints to block
  • Other package registries (PyPI, npm, crates.io) face immediate pressure to audit published packages for embedded API keys and outbound scraping logic -- a review burden at scale they lack current tooling to automate

Opportunities

  • Software supply chain security vendors (Socket.dev, Chainguard, Snyk) can expand product positioning to cover registry-as-exfiltration scenarios, a gap not addressed by any major tool as of this reporting
  • UK public sector cybersecurity consultancies gain a concrete, named case study to drive portal hardening audits across the roughly 300 remaining local councils with similar democratic services portals
  • Package registry operators (RubyGems.org, PyPI, npm) have a clear business case to fund behavioral analytics on published package content, opening vendor contracts for anomaly detection at the registry layer

What we don't know yet

  • Whether RubyGems.org has revoked the API keys and removed the 150+ malicious gems, and whether similar packages remain active on PyPI or npm
  • Attribution behind GemStuffer -- no threat actor or government link confirmed in public reporting as of May 2026
  • Whether harvested council data included personally identifiable information about residents or officials, which would trigger UK GDPR and ICO notification obligations

Originally reported by thehackernews.com

Read the original article →

Original headline: GemStuffer Campaign Abuses 150+ RubyGems Packages as Novel Data Exfiltration Channel for UK Council Portal Data