Attackers Weaponize RubyGems for Data Dead Drops

Attackers Weaponize RubyGems for Data Dead Drops

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityVulnerabilities & ThreatsThreat IntelligenceData PrivacyNewsAttackers Weaponize RubyGems for Data Dead DropsThreat actors are publishing RubyGems packages that include scrapers targeting public-facing UK government servers, but with no clear objective.Alexander Culafi,Senior News Writer,Dark ReadingMay 13, 20264 Min ReadSource: Zerilli Media via Alamy Stock PhotoA new threat campaign is using RubyGems as a dead drop to store exfiltrated data, but the attacker's long-term plans are less clear. Software development security vendor Socket published research concerning a campaign dubbed "GemStuffer," where an attacker abused the RubyGems package registry "as a data transport mechanism rather than a conventional malware distribution channel," according to a blog post. RubyGems is a package manager for the Ruby programming language, and acts as a way for developers to distribute Ruby programs or libraries, which are referred to as "gems."On the surface, this would look like any number of attacks impacting the open source development supply chain in recent months. There are the Shai-Hulud self-propagating worms, novel ways to compromise open source AI models, and countless attacks against the NPM package ecosystem.But in this case, the primary victim is unclear, as is the full scope of the threat activity. What organizations need to pay attention to is what the attacker might be planning next and how they can prepare.Related:GitHub Confirms Breach, 4K Internal Repos StolenGemStuffer Hints at Bigger AttacksIn this case, GemStuffer concerns more than 100 gems that appear to use RubyGems as a dead drop for data rather than to distribute conventional malware. The attackers are publishing a large number of packages with few or even no downloads that contain payloads that are "repetitive, noisy, and unusually self-contained," according to Socket.The scripts within the packages merely fetch pages from UK local government portals used by the Lambeth, Wandsworth, and Southwark districts in London; scraped data includes council calendar pages, agenda listings, committee link, and other such public-facing information. This data is then published back to RubyGems as .gem archives through hardcoded API keys. "In some samples, the payload creates a temporary RubyGems credential environment under /tmp, overrides HOME, builds a gem locally, and pushes it to rubygems.org," the blog post read. "Other variants skip the gem CLI entirely and POST the archive directly to the RubyGems API."The attacker later downloads the package from RubyGems and extracts the data. No command-and-control (C2) server needed.There are several unusual aspects to this campaign beyond the dead drop piece. For one, this activity was observed at the same time that RubyGems was under attack via an apparent coordinated spam-publishing campaign. Socket did not directly attach this campaign to that threat activity, though the vendor did mention it as having a similar abuse pattern to the spam campaign. Related:'Claw Chain' Vulnerabilities Threaten OpenClaw DeploymentsSecond, the threat actor created an automated scraper with worm potential, yet they're using it to scrape public facing data and not putting significant data into these packages to get potential victims to click on them. These gems do not contain conventional malware, but instead data collection tools and scripts for uploading packages using built-in API keys.It could be a test run against government servers or practice using novel malware, but the motivation is unclear. "It may be registry spam, a proof-of-concept worm, an automated scraper misusing RubyGems as a storage layer, or a deliberate test of package registry abuse," Socket said in its post. "But the mechanics are intentional: repeated gem generation, version increments, hardcoded RubyGems credentials, direct registry pushes, and scraped data embedded inside package archives."Feross Aboukhadijeh, founder and CEO of Socket, tells Dark Reading that the threat actor's technique was clever, but execution was "noisy.""That usually points to testing, automation, or spam rather than a mature operation trying to preserve stealth," he says. "The actor may have cared less about staying hidden and more about proving that RubyGems could be used as a transport layer."Related:Shai-Hulud Worm Clones Spread After Code ReleaseWhat Developers Need to Know About GemStufferFor developers, Socket urged caution because, while none of these 155-plus compromised packages have been downloaded to a significant degree, GemStuffer shows a novel use case for exploiting package repositories (as dead drops). The campaign also serves as an example for why software package registries should not be implicitly trusted. Organizations that download Ruby packages or believe they may be affected by GemStuffer should audit the /tmp folder on all potentially affected machines; identify the delivery vector if a package is present on a machine (as these gems are not self-propogating); and block outbound gem pushes in CI pipelines that do not publish gems, Socket said. Aboukhadijeh says the business risk is "less about these specific junk gems being installed and more about what the behavior may be testing.""This lands at a time when everyone in supply chain security is already on alert after seeing worm-like campaigns move across multiple ecosystems, including npm, PyPI, and Packagist. Security teams often focus on what packages developers install, but publishing activity needs attention too," he explains. "Defenders should know which developer machines, CI jobs, and service accounts are allowed to publish to public registries, and they should lock down those publishing workflows so only approved systems can publish approved packages."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑da