GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
Summary
A new campaign named GemStuffer has been identified that abuses over 150 gems within the RubyGems repository for data exfiltration, rather than direct malware distribution. Researchers note that these gems are not designed for widespread developer compromise and often exhibit limited download activity and repetitive payloads.
IFF Assessment
This campaign represents a novel method for threat actors to steal sensitive data by leveraging a trusted software repository, posing a significant risk to organizations using RubyGems.
Defender Context
Defenders should be aware of this novel exfiltration technique using trusted package repositories. It highlights the need for robust monitoring of network traffic for unusual data flows originating from development environments and diligent code review of third-party dependencies.