GemStuffer RubyGems Exfiltration Channel

Executive Summary

GemStuffer should become a new standalone post. It is not a classic dependency compromise: public evidence does not show existing legitimate gems being hijacked, mass developer installs, or a self-propagating installer. It is still supply-chain abuse because the actor used RubyGems’ package release path as an exfiltration and storage primitive, turning ordinary gem artifacts into retrievable containers for scraped public-sector portal data Socket.

Socket reports more than 100 gems in the campaign and says its tracker contains 155 affected package artifacts Socket. Representative tracker rows include agenda-sample-yard 0.1.1, bot9evil 0.1.0, fetchrootx2 0.0.1, soufetchabc 0.0.3, wandcabfetchfix21736 0.0.1, wandscrawlr 0.0.1, slnleaker5 0.0.1, fetchrootx1 0.0.1, and lambeth71b 0.0.1 Socket tracker. RubyGems public timeframe metadata independently confirms yanked representative versions and exposes SHA-256 values for those versions through the registry API fields documented by RubyGems RubyGems API.

The downstream risk is registry-abuse blind spots. A POST to rubygems[.]org/api/v1/gems can look like a normal release from a developer workstation or CI runner, but in this case the uploaded binary gem carried scraped HTML responses from UK council ModernGov portals. Defenders should monitor who is allowed to publish packages, not only which packages are installed.

Key Facts

threat_type: "RubyGems registry abuse as exfiltration channel"
ecosystem: "RubyGems, Ruby"
registry: "RubyGems.org"
campaign_name: "GemStuffer"
affected_package_artifacts: "155 reported by Socket tracker; representative rows verified"
affected_packages_representative:
  - "agenda-sample-yard"
  - "bot9evil"
  - "fetchrootx2"
  - "soufetchabc"
  - "lambeth71b"
  - "wandscrawlr"
  - "slnleaker5"
  - "lambethx33zzz"
  - "southfetchprobe42"
malicious_versions_representative:
  - "agenda-sample-yard 0.1.1"
  - "bot9evil 0.1.0"
  - "fetchrootx2 0.0.1"
  - "soufetchabc 0.0.3"
  - "lambeth71b 0.0.1"
known_good_versions: []
fixed_or_safe_versions:
  - "not applicable; junk packages were yanked or should be treated as malicious staging artifacts"
execution_trigger: "unknown delivery vector; observed Ruby payload execution with embedded RubyGems publishing credentials"
primary_impact: "scraped council portal data staged into public RubyGems package artifacts"
public_sector_scope:
  - "Lambeth ModernGov portal"
  - "Wandsworth democratic services portal"
  - "Southwark ModernGov portal"
confidence: "medium"
canonical_source: "https://socket.dev/blog/gemstuffer"
last_verified: "2026-05-28"

Source Confidence And Evidence Mapping

• confirmed: Socket published primary research with representative Ruby code for ModernGov scraping, gem archive construction, /tmp/gemhome credential injection, gem push, and direct HTTP upload variants Socket.
• confirmed: Socket’s public campaign tracker reports 155 affected package artifacts and shows representative package/version rows with May 12, 2026 UTC publish and detection timestamps Socket tracker.
• confirmed: RubyGems documents POST /api/v1/gems, version metadata, SHA fields, yanking, and timeframe_versions, matching the registry mechanics observed in this campaign RubyGems API.
• confirmed: RubyGems status history records temporary disabling of new user registrations from May 12, 2026 08:54 UTC to May 16, 2026 05:12 UTC during the broader spam-publishing response RubyGems status.
• unknown: Publisher account handles, complete account-to-package mapping, initial delivery vector, and whether every tracked artifact contained scraped data versus probe or spam content.

Impact Determination

Classification	Criteria	Required evidence	Required action	Closure condition
Confirmed staging host	A host ran the Ruby payload, wrote /tmp/gemhome/.gem/credentials, built a gem, or posted a gem body to RubyGems.	EDR process/file telemetry, shell history, CI logs, preserved /tmp directories, RubyGems API key audit records.	Isolate long enough to preserve evidence, revoke RubyGems keys, review other reachable secrets, and block further gem publishing from that host.	No remaining payload files, no unauthorized gem pushes, credentials rotated, and egress controls enforce approved release runners only.
Presumed staging host	The host made an unauthorized POST to rubygems[.]org/api/v1/gems in the campaign window and also accessed one of the ModernGov calendar URLs.	Proxy logs with method/path, TLS inspection metadata if available, process attribution, Ruby runtime telemetry.	Treat as exfiltration-capable until proven otherwise; preserve logs and map the executing user.	Network event is explained by an approved release workflow or incident handling is complete.
Registry exposure only	Your organization did not execute the payload but mirrors, caches, SBOMs, or dependency tools recorded GemStuffer package artifacts.	Gem cache listings, Artifactory/Nexus logs, SBOMs, lockfiles, RubyGems mirror data.	Remove cached gems, block known names, and ensure no internal automation promoted them.	Internal package mirrors and dependency indexes no longer serve the artifacts.
Public-sector data exposure	Council portal pages or agenda responses appear in gem archive content or registry metadata.	Extracted data.tar.gz, lib/result.txt, README payloads, metadata descriptions, council URLs.	Notify data owners if non-public or sensitive content is observed; otherwise record bulk public-data scraping exposure.	Each recovered artifact is classified as public, sensitive, or unknown and handled accordingly.
Not exposed	No GemStuffer package names, payload hashes, /tmp artifacts, ModernGov scrape requests, or unauthorized RubyGems publish requests are present.	Source/gem-cache scans, proxy logs, EDR telemetry, CI job logs.	Keep registry publish monitoring in place.	Search coverage includes developer endpoints, CI, package mirrors, and logs for the campaign window.

Timeline

• 2026-05-12 02:20-03:30 UTC: RubyGems timeframe metadata shows yanked representative versions and many suspicious May 12 package rows containing ModernGov or related selectors. Local verification used the public timeframe_versions API documented by RubyGems RubyGems API.
• 2026-05-12 08:54 UTC: RubyGems status history marks the start of temporary new-user registration disabling during the broader abuse response RubyGems status.
• 2026-05-13: Socket publishes the GemStuffer research and links it to the RubyGems spam-publishing context Socket.
• 2026-05-16 05:12 UTC: RubyGems status history marks the registration-disabling incident resolved RubyGems status.
• 2026-05-28: Representative RubyGems API checks return yanked: true for sampled GemStuffer package versions.

Technical Analysis

Registry Abuse, Not Normal Package Consumption

The campaign’s most important distinction is directionality. The package registry was not merely a place where victims downloaded code. The payload published new packages back to RubyGems so the actor could retrieve scraped data later with standard gem tooling Socket.

Socket’s representative chain collects execution context, fetches ModernGov calendar and agenda pages, writes the HTTP responses into a valid gem directory, builds a .gem archive, and pushes it to RubyGems. In one variant, the scraped content lands in lib/result.txt; in another, it is placed in a README inside a gem built through Ruby APIs Socket.

Scraping Targets

Socket identifies three public-facing UK council portals: moderngov[.]lambeth[.]gov[.]uk, democracy[.]wandsworth[.]gov[.]uk, and moderngov[.]southwark[.]gov[.]uk. The code follows mgCalendarMonthView.aspx pages, extracts ieList and mgCommittee links, and fetches follow-on agenda pages Socket.

The public evidence supports bulk scraping of public ModernGov content. It does not prove theft of private council systems, authenticated portals, or internal networks. That uncertainty matters: responders should classify recovered lib/result.txt or README content rather than assuming either harmless public data or confirmed sensitive data.

RubyGems Credential Handling

Some samples created /tmp/gemhome/.gem/credentials, wrote a hardcoded RubyGems API key, set permissions to 0600, and overrode HOME so gem push would read that fabricated credential store. Other variants avoided the gem CLI and used Net::HTTP::Post directly with an Authorization header and application/octet-stream body Socket. RubyGems’ API documentation confirms that gem creation is a binary POST to /api/v1/gems authenticated with an Authorization header RubyGems API.

This makes credential rotation narrower than a typical credential stealer but still urgent. Rotate observed RubyGems API keys first, then evaluate secrets reachable from the host that ran the unknown delivery vector.

Registry Metadata Verification

Direct package pages for many sampled names now return not found or yanked states, but timeframe_versions remains useful for retrospective scoping. Representative API rows verified on May 28, 2026 included:

representative_verified_rows:
  - package: "agenda-sample-yard"
    version: "0.1.1"
    created_at: "2026-05-12T03:25:33.962Z"
    sha256: "2e4e099275efb8f886824a8eccdc595e624cd08ebb1772bd427710e08ff3ab24"
    yanked: true
  - package: "bot9evil"
    version: "0.1.0"
    created_at: "2026-05-12T03:23:17.445Z"
    sha256: "94d6c0b589704c8cc75e19f7250d6bfda473266dd7dd7e23fd14bd1bb972a717"
    yanked: true
  - package: "fetchrootx2"
    version: "0.0.1"
    created_at: "2026-05-12T03:21:50.962Z"
    sha256: "986342f884d531d686eeda19eb2cdc32eecea3f9d49ad6be6d493b5e680fc38b"
    yanked: true
  - package: "soufetchabc"
    version: "0.0.3"
    created_at: "2026-05-12T03:18:31.634Z"
    sha256: "75608fbc0307555c0f8eafe03f323c556dd4b2a7a05fa17ab4a13b7ef1d86eb7"
    yanked: true
  - package: "lambeth71b"
    version: "0.0.1"
    created_at: "2026-05-12T03:13:47.068Z"
    sha256: "34212b88108cab6ded037257d6fbc79a61b4c2ea8ecddc6c513b5aad1f308638"
    yanked: true

RubyGems also publishes weekly sanitized PostgreSQL dumps, which are the right next source for a complete registry-scale ledger without scraping live package pages RubyGems data.

Affected Assets And Blast Radius

affected_assets:
  ecosystems:
    - "RubyGems"
    - "Ruby"
  packages:
    - "agenda-sample-yard"
    - "bot9evil"
    - "fetchrootx2"
    - "soufetchabc"
    - "wandcabfetchfix21736"
    - "wandscrawlr"
    - "slnleaker5"
    - "fetchrootx1"
    - "lambeth71b"
    - "lambethx33zzz"
    - "southfetchprobe42"
  versions:
    - "0.0.1"
    - "0.0.2"
    - "0.0.3"
    - "0.0.5"
    - "0.1.0"
    - "0.1.1"
    - "1.0.0"
    - "1.2.3"
    - "9.8.0"
    - "9.9.0"
  public_sector_portals:
    - "moderngov[.]lambeth[.]gov[.]uk"
    - "democracy[.]wandsworth[.]gov[.]uk"
    - "moderngov[.]southwark[.]gov[.]uk"
  ci_cd_systems:
    - "unknown; any Ruby-capable release runner with outbound RubyGems publish access should be audited"
  developer_tools:
    - "Ruby"
    - "RubyGems gem CLI"
credentials_at_risk:
  - "RubyGems API keys embedded in payloads"
  - "secrets reachable from hosts where the unknown delivery vector executed"
not_currently_known_to_affect:
  - "Existing legitimate RubyGems packages, based on public reporting available for this post."
  - "Developers who only consumed normal Ruby dependencies and never executed the GemStuffer payload."

Indicators of Compromise

package_versions:
  - "agenda-sample-yard 0.1.1"
  - "bot9evil 0.1.0"
  - "fetchrootx2 0.0.1"
  - "soufetchabc 0.0.3"
  - "lambeth71b 0.0.1"
files:
  - "payload.rb"
  - "script.rb"
  - "evil.rb"
  - "yardload.rb"
  - "yard_plugin.rb"
  - "exploit.rb"
  - "extconf.rb"
  - "fetcher.rb"
  - "/tmp/gemhome/.gem/credentials"
  - "/tmp/rubydocran_*"
  - "lib/result.txt"
  - "x.gemspec"
hashes:
  - "239440c830e17530dda0a8a06ed2708860998750a1e3ed2239e919465dc59420"
  - "c2d6bcacc88177e0f2c8c262726f86f37e671b1692c8bc135bac4b610ddcf31a"
  - "34212b88108cab6ded037257d6fbc79a61b4c2ea8ecddc6c513b5aad1f308638"
  - "2e4e099275efb8f886824a8eccdc595e624cd08ebb1772bd427710e08ff3ab24"
  - "94d6c0b589704c8cc75e19f7250d6bfda473266dd7dd7e23fd14bd1bb972a717"
domains:
  - "rubygems[.]org"
  - "moderngov[.]lambeth[.]gov[.]uk"
  - "democracy[.]wandsworth[.]gov[.]uk"
  - "moderngov[.]southwark[.]gov[.]uk"
urls:
  - "hxxps://rubygems[.]org/api/v1/gems"
  - "hxxps://moderngov[.]lambeth[.]gov[.]uk/mgCalendarMonthView[.]aspx?M=1&Y=2026&GL=1&bcr=1"
  - "hxxps://democracy[.]wandsworth[.]gov[.]uk/mgCalendarMonthView[.]aspx?M=1&Y=2026&GL=1&bcr=1"
  - "hxxps://moderngov[.]southwark[.]gov[.]uk/mgCalendarMonthView[.]aspx?M=1&Y=2026&GL=1&bcr=1"
ips: []
process_patterns:
  - "ruby writing /tmp/gemhome/.gem/credentials"
  - "ruby running gem build"
  - "ruby running gem push"
  - "ruby Net::HTTP::Post to RubyGems"
network_patterns:
  - "POST hxxps://rubygems[.]org/api/v1/gems"
  - "GET ModernGov mgCalendarMonthView.aspx with User-Agent Mozilla/5.0"

Detection and Hunting

RubyGems Registry Retrospective

Use the included helper to reproduce the bounded registry search and produce JSON/CSV rows:

python3 scripts/gemstuffer_rubygems_audit.py --out-dir gemstuffer-audit registry

The script queries timeframe_versions for 2026-05-12T02:20:00Z through 2026-05-12T03:30:00Z, then flags rows that contain known representative package/version pairs, ModernGov domains, mgCalendarMonthView, ieList, mgCommittee, r.jina.ai, yanked status, or synthetic built_at values. Positive matches should be compared with Socket’s tracker and the RubyGems data dump before making a final public count.

Local Source, Cache, And Artifact Scan

Scan preserved /tmp, gem caches, CI workspaces, shell history exports, or source trees:

python3 scripts/gemstuffer_rubygems_audit.py --out-dir gemstuffer-audit scan /path/to/evidence --fail-on-match

Positive signals are GemStuffer file names, exact payload hashes, /tmp/gemhome, /tmp/rubydocran_, representative package names, ModernGov URLs, RubyGems push endpoint strings, and Ruby code selectors such as Gem::Package.build, Net::HTTP::Post.new, gem push, or ENV['HOME'] pointing to /tmp/gemhome.

Proxy, EDR, And CI Log Scan

Scan exported text, CSV, or JSON logs:

python3 scripts/gemstuffer_rubygems_audit.py --out-dir gemstuffer-audit logs /path/to/exported/logs --fail-on-match

Escalate when the same host, runner, user, or job shows both ModernGov scraping and a RubyGems gem-create POST. A lone ModernGov request may be routine public-web access; a lone RubyGems publish may be an approved release. The dangerous correlation is scraping followed by package publication from a system that should not be a RubyGems publisher.

SIEM Query Shape

positive_signals:
  - "http.method = POST and url.domain = rubygems.org and url.path = /api/v1/gems"
  - "process.name in (ruby, gem) and command_line contains gem push"
  - "file.path = /tmp/gemhome/.gem/credentials"
  - "url.domain in (moderngov.lambeth.gov.uk, democracy.wandsworth.gov.uk, moderngov.southwark.gov.uk) and url.path contains mgCalendarMonthView.aspx"
join_logic:
  - "same host or CI runner within 2 hours"
  - "same user or service account where available"
false_positives:
  - "legitimate RubyGems release jobs"
  - "public-sector monitoring tools fetching council pages"
  - "security research reproductions"
escalation:
  - "unauthorized RubyGems publish POST from developer, CI, or production host"
  - "RubyGems API key material logged or written outside approved secret storage"
  - "recovered gem archive containing non-public or sensitive council data"

Downstream Abuse Audits

• Registry abuse monitoring: Build an allowlist of systems permitted to publish to RubyGems. Alert on all other POST requests to rubygems[.]org/api/v1/gems, especially from CI jobs that usually only install dependencies.
• Public-sector data exposure: Extract recovered .gem files and inspect data.tar.gz for lib/result.txt or README content. Classify each recovered page as public, sensitive public-facing, private, or unknown.
• Package takedown: File RubyGems abuse reports for any remaining package versions and include package name, version, SHA-256, publish timestamp, and whether the archive contains council data.
• Incident response: Preserve /tmp staging directories and RubyGems credentials before cleanup. Rotate embedded RubyGems API keys, then review host-local secrets based on what the unknown delivery vector could access.
• Mirror cleanup: Search Artifactory, Nexus, Gemstash, and local gem caches for representative names and hashes. Yanked public gems can survive in internal mirrors.

Remediation

1. Contain systems that show GemStuffer execution or unauthorized RubyGems publishing.
2. Preserve /tmp/gemhome, /tmp/rubydocran_*, package staging directories, .gem archives, shell histories, CI logs, and proxy logs.
3. Revoke all RubyGems API keys observed in payloads or logs. Review key creation and usage around May 12, 2026.
4. Block RubyGems gem-create POSTs from networks and runners that should never publish gems.
5. For legitimate release automation, restrict RubyGems publishing to named runners and expected package names.
6. Remove cached GemStuffer gems from internal mirrors and dependency caches.
7. Classify any recovered council data and notify affected data owners if non-public or sensitive content appears.
8. Close the incident only after registry, endpoint, CI, proxy, and mirror checks are complete and documented.

Machine-Readable Event Profile

{
  "schema_version": "2.0",
  "event_id": "gemstuffer-rubygems-exfiltration-channel-2026-05-13",
  "event_name": "GemStuffer RubyGems Exfiltration Channel",
  "parent_campaign_id": "none",
  "is_campaign_level": true,
  "publication_state": "publish_ready",
  "confidence": "medium",
  "confidence_reason": "Primary research and RubyGems registry metadata confirm the technique and representative yanked package artifacts; publisher identities, full package set, and original delivery vector remain incomplete publicly.",
  "attack_types": ["registry abuse", "package artifact data staging", "hardcoded registry credential use", "public-sector scraping"],
  "sources": {
    "direct": ["https://guides.rubygems.org/rubygems-org-api/", "https://status.rubygems.org/history", "https://rubygems.org/pages/data"],
    "primary_research": ["https://socket.dev/blog/gemstuffer", "https://socket.dev/supply-chain-attacks/gemstuffer"],
    "correlated": []
  },
  "affected_assets": {
    "ecosystems": ["RubyGems", "Ruby"],
    "registries": ["RubyGems.org"],
    "packages": ["agenda-sample-yard", "bot9evil", "fetchrootx2", "soufetchabc", "wandcabfetchfix21736", "wandscrawlr", "slnleaker5", "fetchrootx1", "lambeth71b", "probeextwand", "designfetchdemo", "lambethx33zzz", "wandocal1", "wandcabm10266dsgn4", "sl-yard-probe2", "lambexploitabc1", "wandscrawlq", "lambcrawlxyz", "swmeetfetcha", "lbdeepgeta", "slfetchrootabc", "zzsouthrunnerb", "slnleakerext", "runnerhack1778553910", "southfetchprobe42"],
    "versions": ["0.0.1", "0.0.2", "0.0.3", "0.0.5", "0.1.0", "0.1.1", "1.0.0", "1.2.3", "9.8.0", "9.9.0"],
    "repositories": [],
    "vendors": ["Lambeth Council", "Wandsworth Council", "Southwark Council"],
    "ci_cd_systems": ["unknown"],
    "developer_tools": ["Ruby", "RubyGems gem CLI"],
    "credentials_at_risk": ["RubyGems API keys embedded in payloads", "credentials reachable from any host where the unknown delivery vector executed"]
  },
  "timeline": {
    "first_seen": "2026-05-12T02:20:00Z",
    "malicious_publish_time": "2026-05-12T02:20:00Z/2026-05-12T03:30:00Z",
    "discovery_time": "2026-05-13",
    "removal_time": "mixed; representative RubyGems API rows show yanked=true as of 2026-05-28",
    "disclosure_time": "2026-05-13",
    "patch_or_fix_time": "unknown"
  },
  "artifact_analysis": {
    "malicious_artifacts": ["payload.rb", "script.rb", "evil.rb", "yardload.rb", "yard_plugin.rb", "exploit.rb", "extconf.rb", "fetcher.rb", ".gem archives containing scraped responses"],
    "execution_trigger": "unknown",
    "payload_behavior": ["scrape ModernGov pages", "build RubyGems packages", "push packages with embedded RubyGems API keys"],
    "provenance": {}
  },
  "iocs": {
    "package_versions": ["agenda-sample-yard 0.1.1", "bot9evil 0.1.0", "fetchrootx2 0.0.1", "soufetchabc 0.0.3", "lambeth71b 0.0.1"],
    "files": ["payload.rb", "script.rb", "evil.rb", "yardload.rb", "yard_plugin.rb", "exploit.rb", "extconf.rb", "fetcher.rb", "/tmp/gemhome/.gem/credentials", "/tmp/rubydocran_*", "lib/result.txt", "x.gemspec"],
    "hashes": ["239440c830e17530dda0a8a06ed2708860998750a1e3ed2239e919465dc59420", "c2d6bcacc88177e0f2c8c262726f86f37e671b1692c8bc135bac4b610ddcf31a", "34212b88108cab6ded037257d6fbc79a61b4c2ea8ecddc6c513b5aad1f308638", "2e4e099275efb8f886824a8eccdc595e624cd08ebb1772bd427710e08ff3ab24", "94d6c0b589704c8cc75e19f7250d6bfda473266dd7dd7e23fd14bd1bb972a717"],
    "domains": ["rubygems.org", "moderngov.lambeth.gov.uk", "democracy.wandsworth.gov.uk", "moderngov.southwark.gov.uk"],
    "urls": ["https://rubygems.org/api/v1/gems", "https://moderngov.lambeth.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1", "https://democracy.wandsworth.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1", "https://moderngov.southwark.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1"],
    "ips": [],
    "process_patterns": ["ruby writing /tmp/gemhome/.gem/credentials", "ruby running gem build", "ruby running gem push", "ruby Net::HTTP::Post to RubyGems"],
    "network_patterns": ["POST https://rubygems.org/api/v1/gems", "GET ModernGov mgCalendarMonthView.aspx with User-Agent Mozilla/5.0"]
  },
  "detection": {
    "registry_hunts": ["Query RubyGems timeframe_versions for May 12, 2026 versions containing ModernGov domains or known package/version pairs."],
    "filesystem_hunts": ["Search /tmp, gem caches, CI workspaces, and shell histories for GemStuffer filenames, /tmp/gemhome, and known package names."],
    "process_hunts": ["Find ruby processes invoking gem build, gem push, or Net::HTTP::Post to RubyGems from non-release hosts."],
    "network_hunts": ["Find RubyGems gem-create POSTs and ModernGov calendar scraping from developer, CI, or production hosts."],
    "ci_cd_hunts": ["Identify CI jobs with Ruby installed that made outbound RubyGems publish requests outside approved release workflows."]
  },
  "open_questions": ["complete 155 artifact list", "publisher account mapping", "initial delivery vector", "private-data exposure status"],
  "defender_takeaways": {
    "detection": "Treat unexpected RubyGems publishing traffic as exfiltration-capable egress, not merely release activity.",
    "hunting": "Correlate ModernGov scraping, /tmp gem staging, and RubyGems gem-create POSTs in the same host or CI job window.",
    "remediation": "Yank confirmed gems, revoke embedded RubyGems keys, preserve staging artifacts, and restrict gem publishing to approved release runners.",
    "prevention": "Block registry publish endpoints from systems that consume packages but never publish them."
  }
}

Open Questions

• The complete 155 package artifacts and publisher account mapping should be pulled from Socket export access or RubyGems database dumps.
• The delivery vector for payload.rb, script.rb, evil.rb, and related Ruby files is still unknown.
• Public evidence does not determine whether any recovered council data was non-public; classify recovered archive content before notifying as a data breach.

Sources

1. Socket: GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government
2. Socket GemStuffer campaign tracker
3. RubyGems.org API guide
4. RubyGems.org status history
5. RubyGems.org data dumps