Executive Summary
GemStuffer is not a classic dependency compromise: public evidence does not show existing legitimate gems being hijacked, mass developer installs, or a self-propagating installer. It is still supply-chain abuse because the actor used RubyGems' package release path as an exfiltration and storage primitive, turning ordinary gem artifacts into retrievable containers for scraped public-sector portal data Socket opens in a new tab.
Socket reports more than 100 gems in the campaign and says its tracker contains 155 affected package artifacts Socket opens in a new tab. Representative tracker rows include agenda-sample-yard 0.1.1, bot9evil 0.1.0, fetchrootx2 0.0.1, soufetchabc 0.0.3, wandcabfetchfix21736 0.0.1, wandscrawlr 0.0.1, slnleaker5 0.0.1, fetchrootx1 0.0.1, and lambeth71b 0.0.1 Socket tracker opens in a new tab. RubyGems' broader May 12 response says more than 500 malicious packages associated with the registry spam attack were yanked; that figure must not be treated as a GemStuffer-only count RubyGems status opens in a new tab.
The downstream risk is registry-abuse blind spots. A POST to rubygems[.]org/api/v1/gems can look like a normal release from a developer workstation or CI runner, but in this case the uploaded binary gem carried scraped HTML responses from UK council ModernGov portals. Defenders should monitor who is allowed to publish packages, not only which packages are installed.