A malicious actor known as GemStuffer has compromised over 150 RubyGems packages with the aim of extracting data from UK town council portals. The campaign uses the stuffing technique, creating gems with names similar to legitimate libraries to deceive developers. Once installed, these gems collect sensitive citizen information and administrative records, exfiltrating it to servers controlled by the attacker.
How the stuffing attack operates in the Ruby ecosystem 🛡️
The attack relies on the mass publication of gems with names typographically close to popular libraries, such as typosquatting or combosquatting. Once installed, they execute code that scrapes data from town council portals, including names, addresses, and public service records. Exfiltration is carried out via HTTP requests to remote servers. Detection is complex because the malicious gems mimic the basic functions of the originals, hiding their harmful payload in secondary modules or through code obfuscation.
GemStuffer: the data collector who didn't ask for permission 😅
It seems GemStuffer understood the concept of open source quite literally: everything they find on municipal portals is theirs. With over 150 gems, they have built a library of someone else's data that would make any archivist pale in comparison. The funny thing is, instead of requesting a public API, they preferred the method of asking nicely through malware. At least, if anyone asks, they already know the code wasn't theirs, it was just passing through.