GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government
GemStuffer campaign abuses RubyGems to exfiltrate data from UK local government portals.
Summary
The GemStuffer campaign uses malicious RubyGems packages to scrape and exfiltrate data from UK local government democratic services portals. The packages collect council calendar pages, agenda listings, and committee links, then package the data into valid .gem archives and publish them to RubyGems using hardcoded API keys. This campaign abuses the trust placed in package registries to exfiltrate data.
Full text
Research/Security NewsMalicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and PasswordsA malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry. By Kirill Boychenko - May 28, 2026
Indicators of Compromise
- hash_sha256 — 239440c830e17530dda0a8a06ed2708860998750a1e3ed2239e919465dc59420
- hash_sha1 — 5f924c0454f1fb6b2299d658c3bb4e75ce3d0b66
- hash_md5 — 81c34eea9c853c5ec13a3b3cd4a2228b
- hash_sha256 — c2d6bcacc88177e0f2c8c262726f86f37e671b1692c8bc135bac4b610ddcf31a
- hash_sha1 — db9827ae2c004a4dc6009be2d009477bff5249df
- hash_md5 — 9211506ae02c9e4e75aeadfebeb4883c
- url — hxxps://moderngov[.]lambeth[.]gov[.]uk/mgCalendarMonthView[.]aspx?M=1&Y=2026&GL=1&bcr=1
- url — hxxps://democracy[.]wandsworth[.]gov[.]uk/mgCalendarMonthView[.]aspx?M=1&Y=2026&GL=1&bcr=1
- url — hxxps://moderngov[.]southwark[.]gov[.]uk/mgCalendarMonthView[.]aspx?M=1&Y=2026&GL=1&bcr=1