GemStuffer RubyGems data-exfiltration campaign
Campaign
Summary
Hide ▲
Show ▼
The GemStuffer campaign is abusing RubyGems as a data-exfiltration channel, with more than 150 gems used to stage scraped content. It targeted public-facing ModernGov portals used by Lambeth, Wandsworth, and Southwark, pulling council meeting calendars, agenda items, linked PDFs, officer contacts, and RSS feeds. The operation matters because it turns a trusted package registry into a covert storage layer for collected portal data. Attackers can later retrieve the staged content with `gem fetch`.
Related Happenings
BufferZoneCorp sleeper-package supply chain campaign
Campaign
First: 01.05.2026 12:43
Last: 01.05.2026 12:43
Sources 1
About this happening:
The **BufferZoneCorp** software supply chain campaign is pushing **malicious Ruby gems and Go modules** that can steal credentials, tamper with **GitHub Actions**, and persist on...
BufferZoneCorp sleeper-package supply chain campaign
CampaignAbout this happening: The **BufferZoneCorp** software supply chain campaign is pushing **malicious Ruby gems and Go modules** that can steal credentials, tamper with **GitHub Actions**, and persist on...
GitHub fake VS Code alert spam campaign
Campaign
First: 27.03.2026 18:51
Last: 27.03.2026 18:51
Sources 1
About this happening:
A coordinated **GitHub Discussions** spam campaign is posting fake **Visual Studio Code** security alerts to lure developers into **malware downloads**, reaching **thousands of re...
GitHub fake VS Code alert spam campaign
CampaignAbout this happening: A coordinated **GitHub Discussions** spam campaign is posting fake **Visual Studio Code** security alerts to lure developers into **malware downloads**, reaching **thousands of re...
Timeline
-
13.05.2026 11:08 2 articles · 14d ago
GemStuffer abuses RubyGems to stage scraped U.K. council data
Initial DisclosureSecurity researchers identified GemStuffer, a campaign that used the RubyGems repository as a data-exfiltration channel by scraping public U.K. local government portal pages, packaging the responses into valid .gem archives, and publishing more than 150 gems with hardcoded API keys or embedded registry credentials. The activity targeted public-facing ModernGov portals used by Lambeth, Wandsworth, and Southwark and collected committee meeting calendars, agenda item listings, linked PDF documents, officer contact information, and RSS feed content.
Show sources
- GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data — thehackernews.com — 13.05.2026 11:08
- Attackers Weaponize RubyGems for Data Dead Drops — www.darkreading.com — 14.05.2026 00:09