{
  "title": "GemStuffer RubyGems Exfiltration Channel",
  "summary": "GemStuffer used RubyGems package publishing as a data-staging channel, wrapping scraped UK council ModernGov portal responses into junk gem artifacts published with embedded RubyGems API keys.",
  "date": "2026-05-28",
  "severity": "medium",
  "tags": [
    "supply-chain",
    "rubygems",
    "ruby",
    "exfiltration",
    "public-sector"
  ],
  "sources_count": 5,
  "indicators": {
    "slug": "gemstuffer-rubygems-exfiltration-channel",
    "since": "2026-05-28T00:00:00Z",
    "until": "2026-05-28T23:59:59Z",
    "ecosystem": "rubygems, ruby rubygems.org",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [],
    "versions": [
      "agenda-sample-yard 0.1.1",
      "bot9evil 0.1.0",
      "fetchrootx2 0.0.1",
      "soufetchabc 0.0.3",
      "lambeth71b 0.0.1"
    ],
    "affectedVersions": [],
    "fixedVersions": [],
    "files": [
      "payload.rb",
      "script.rb",
      "evil.rb",
      "yardload.rb",
      "yard_plugin.rb",
      "exploit.rb",
      "extconf.rb",
      "fetcher.rb",
      "/tmp/gemhome/.gem/credentials",
      "/tmp/rubydocran_*",
      "lib/result.txt",
      "x.gemspec"
    ],
    "paths": [],
    "services": [],
    "domains": [
      "rubygems.org",
      "moderngov.lambeth.gov.uk",
      "democracy.wandsworth.gov.uk",
      "moderngov.southwark.gov.uk"
    ],
    "urls": [
      "https://rubygems.org/api/v1/gems",
      "https://moderngov.lambeth.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1",
      "https://democracy.wandsworth.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1",
      "https://moderngov.southwark.gov.uk/mgCalendarMonthView.aspx?M=1&Y=2026&GL=1&bcr=1"
    ],
    "ips": [],
    "hashes": [
      "239440c830e17530dda0a8a06ed2708860998750a1e3ed2239e919465dc59420",
      "c2d6bcacc88177e0f2c8c262726f86f37e671b1692c8bc135bac4b610ddcf31a",
      "34212b88108cab6ded037257d6fbc79a61b4c2ea8ecddc6c513b5aad1f308638",
      "2e4e099275efb8f886824a8eccdc595e624cd08ebb1772bd427710e08ff3ab24",
      "94d6c0b589704c8cc75e19f7250d6bfda473266dd7dd7e23fd14bd1bb972a717"
    ],
    "processPatterns": [
      "ruby writing /tmp/gemhome/.gem/credentials",
      "ruby running gem build",
      "ruby running gem push",
      "ruby Net::HTTP::Post to RubyGems"
    ],
    "networkPatterns": [
      "POST hxxps://rubygems.org/api/v1/gems",
      "GET ModernGov mgCalendarMonthView.aspx with User-Agent Mozilla/5.0"
    ],
    "telemetrySelectors": []
  }
}