How the Attack Worked
Security researchers have uncovered a sophisticated software supply chain attack that abused the RubyGems package registry. The operation, tracked as GemStuffer, involved publishing more than 150 malicious Ruby packages designed to steal data from UK council portals. The attacker used automated scraping techniques to extract sensitive information from local government systems, then funneled the stolen data through the malicious gems back to command and control infrastructure.
The malicious packages were disguised as legitimate libraries and contained hidden code that activated during normal use. Once installed in development environments or on servers, the payload would scrape council portal databases and exfiltrate the results. The attacker employed a technique known as dependency confusion, where packages with similar names to internal libraries are uploaded to public registries, tricking build systems into downloading the malicious versions.
Impact and Response
UK local government portals contain a wealth of citizen data including council tax records, housing benefit information, and planning application details. The attack represents a significant breach of trust in the software supply chain that powers many public sector digital services. RubyGems maintainers have removed the identified malicious packages, but the incident highlights the ongoing challenge of securing package registries against automated abuse.
The attack demonstrates how open source ecosystem vulnerabilities can be exploited to target specific geographic regions and sectors. Organizations using RubyGems are advised to audit their dependencies, implement package signing, and use private registries for internal libraries. The UK’s National Cyber Security Centre has been alerted to the campaign and is working with affected councils to assess the data exposure.
Source: The Hacker News
