Two malicious RubyGems packages posing as standard Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal knowledge.
RubyGems is the official package deal supervisor for the Ruby programming language, used for distributing, putting in, and managing Ruby libraries (gems), just like npm for JavaScript and PyPI for Python.
The packages intercept delicate knowledge, together with chat IDs and message content material, connected recordsdata, proxy credentials, and even bot tokens that can be utilized for hijacking Telegram bots.
The provision chain assault was found by Socket researchers, who warned the Ruby builders neighborhood in regards to the threat by way of a report.
The 2 packages that typosquat Fastlane are nonetheless reside on RubyGems underneath the next names:Â
- fastlane-plugin-telegram-proxy: Printed on Could 30, 2025, has 287 downloads
- fastlane-plugin-proxy_teleram: Printed on Could 24, 2025, has 133 downloads
Quick lane to knowledge theft
Fastlane is a official open-source plugin that serves as an automation device for cellular app builders. It’s used for code signing, compiling builds, app retailer importing, notification supply, and metadata administration.
The ‘fastlane-plugin-telegram’ is a official plugin that enables Fastlane to ship notifications over Telegram utilizing a Telegram bot that posts on a specified channel.
That is useful for builders who want real-time updates on CI/CD pipelines inside their Telegram workspace, permitting them to maintain observe of key occasions with out having to examine dashboards.
Supply: Socket
The malicious gems found by Socket are practically similar to the official plugin, that includes the identical public API, readme file, documentation, and core performance.
The one distinction, albeit a vital one, is swapping out the official Telegram API endpoint (https://api.telegram.org/) with the attacker’s proxy-controlled endpoint (rough-breeze-0c37[.]buidanhnam95[.]employees[.]dev), in order that delicate info is intercepted (and really seemingly collected).
Supply: Socket
Stolen knowledge consists of the bot token, the message knowledge, any uploaded recordsdata, and proxy credentials if configured.
The attacker has ample alternative for exploitation and persistence as a result of Telegram bot tokens stay legitimate till manually revoked by the sufferer.
Socket notes that the gems’ touchdown pages point out that the proxy “doesn’t retailer or modify your bot tokens,” nevertheless, there is not any method to confirm this declare.
“Cloudflare Employee scripts usually are not publicly seen, and the risk actor retains full capability to log, examine, or alter any knowledge in transit,” explains Socket.
“The usage of this proxy, mixed with the typosquatting of a trusted Fastlane plugin, clearly signifies intent to exfiltrate tokens and message knowledge underneath the guise of regular CI habits.”
“Furthermore, the risk actor has not printed the Employee’s supply code, leaving its implementation fully opaque.”
Builders who’ve put in the 2 malicious gems ought to take away them instantly and rebuild any cellular binaries produced after the set up date. Additionally, all bot tokens used with Fastlane needs to be rotated as they’ve been compromised.
Socket additionally suggests blocking visitors to ‘*.employees[.]dev’ except explicitly wanted.
Guide patching is outdated. It is sluggish, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how trendy groups use automation to patch sooner, minimize threat, keep compliant, and skip the advanced scripts.
