{"id":3452,"date":"2025-06-05T12:01:43","date_gmt":"2025-06-05T12:01:43","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3452"},"modified":"2025-06-05T12:01:43","modified_gmt":"2025-06-05T12:01:43","slug":"supply-chain-attack-hits-rubygems-to-steal-telegram-api-data","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3452","title":{"rendered":"Supply chain attack hits RubyGems to steal Telegram API data"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>An ongoing supply chain attack is targeting the RubyGems ecosystem to publish malicious packages intended to steal sensitive Telegram data.<\/p>\n<p>Published by a threat actor using multiple accounts under aliases B\u00f9i nam, buidanhnam, and si_mobile, the malicious gems (ruby packages) pose as legitimate Fastlane plugins and exfiltrate data to an actor-controlled command and control (C2) server. Fastlane is a popular open-source tool, used extensively in CI\/CD pipelines, to automate building, testing, and releasing mobile apps (iOS and Android).<\/p>\n<p>\u201cMalicious actors take advantage of the trust inherent in open-source environments by embedding harmful code that can jeopardize systems, steal sensitive information, or, in this case, misdirect critical API traffic,\u201d said Eric Schwake, director of cybersecurity strategy at Salt Security. \u201cThe identification of certain Ruby gems aimed at exfiltrating Telegram <a href=\"https:\/\/www.csoonline.com\/article\/570719\/how-api-attacks-work-and-how-to-identify-and-prevent-them.html\">API<\/a> tokens and messages highlights a significant and ongoing risk to the software supply chain.\u201d<\/p>\n<p>The ongoing attack was first spotted by Socket\u2019s Threat Research Team, who noted that the malicious gems appeared just days after Vietnam\u2019s nationwide Telegram <a href=\"https:\/\/www.reuters.com\/sustainability\/society-equity\/vietnam-acts-block-messaging-app-telegram-government-document-seen-by-reuters-2025-05-23\/\" target=\"_blank\" rel=\"noopener\">ban<\/a>, likely to exploit the heightened demand for Telegram workarounds with \u201cproxy\u201d offerings.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Two rogue plugins in circulation<\/h2>\n<p>Threat actor published two malicious gems: \u201cfastlane-plugin-telegram-proxy\u201d and \u201cfastlane-plugin-proxy_telegram,\u201d near-identical clones of the legitimate \u201cfastlane-plugin-telegram.\u201d<\/p>\n<p>While the packages retained all the same functionalities and documentation of the legitimate plugin, they added a critical alteration. The modified gems featured a redirect for all Telegram API traffic to an actor-controlled C2.<\/p>\n<p>\u201cThese gems silently exfiltrate all data sent to the Telegram API (used by the Fastlane plugin) by redirecting traffic through a C2 server controlled by the threat actor,\u201d security researcher Kirill Boychenko said in a blog <a href=\"https:\/\/socket.dev\/blog\/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban\" target=\"_blank\" rel=\"noopener\">post<\/a>. \u201cThis includes bot tokens, chat IDs, message content, and attached files.\u201d<\/p>\n<p>Threat actors modified the legitimate plugin behavior of sending messages to Telegram using the Telegram Bot API by replacing the Telegram API endpoint (https:\/api.telegra.org) with their own (C2) server.<\/p>\n<p>\u201cA single line swap rerouted every Telegram API call through a Cloudflare Worker under an attacker\u2019s control, siphoning tokens, files, IDs, and more,\u201d said Jason Soroko, Senior Fellow at Sectigo.<\/p>\n<h2 class=\"wp-block-heading\">Risk may extend past the regional ban<\/h2>\n<p>The malicious packages (Gems) were published by the threat actor on May 24, 2025, three days after Vietnam\u2019s Ministry of Information and Communications ordered a nationwide ban on Telegram and gave internet service providers until June 2 to report compliance.<\/p>\n<p>Apart from the timing, the aliases used by the threat actor also suggested a Vietnamese theme, along with the \u201cTelegram proxy\u201d hook used for marketing the gems. While seemingly targeted, the attack may still have impacts outside of the ban.<\/p>\n<p>\u201cThe operator, using Vietnamese-language aliases, pushed the gems days after Vietnam banned Telegram, but the code has no geofence, so any Fastlane pipeline that pulled the plugin was compromised,\u201d Soroko explained.<\/p>\n<p>For potential targets, Boychenko recommended verifying Telegram proxies\u2014if they are looking for one\u2014by checking for open-source licensing, transparent author details, configurable endpoints (not silent, hardcoded replacements), and clear privacy and logging policies. Typosquatting dependencies remain a popular supply chain attack technique. <\/p>\n<p>Recently, attackers were found dropping over 60 malicious npm packages within two weeks to steal network information, a discovery also reported by Boychenko. Malicious actors have also begun a novel approach of exploiting AI hallucinations to carry out <a href=\"https:\/\/www.csoonline.com\/article\/3961304\/ai-hallucinations-lead-to-new-cyber-threat-slopsquatting.html?utm=hybrid_search\">SlopSquatting<\/a> attacks, publishing malicious packages with names that AI tools might incorrectly suggest to developers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>An ongoing supply chain attack is targeting the RubyGems ecosystem to publish malicious packages intended to steal sensitive Telegram data. Published by a threat actor using multiple accounts under aliases B\u00f9i nam, buidanhnam, and si_mobile, the malicious gems (ruby packages) pose as legitimate Fastlane plugins and exfiltrate data to an actor-controlled command and control (C2) [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3453,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3452","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3452"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3452"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3452\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3453"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}