Attackers Weaponize RubyGems for Data Dead Drops

Socket researchers identified a campaign dubbed "GemStuffer" in which an actor publishes over 100 RubyGems packages that contain scripts which scrape public UK local-government pages and embed that data into .gem archives uploaded to rubygems.org using hardcoded API keys; the actor later downloads and extracts those packages as a dead-drop data transport. The activity is noisy and possibly experimental (registry spam, proof-of-concept worm, or automated scraper misuse), with low download counts and unclear victim impact, but it highlights a novel abuse of package registries and the need to secure publishing workflows and CI pipelines.