Hackers Leverage Ruby Gems to Hijack Telegram Tokens and Messages

Researchers from the Socket Threat Research Team have discovered two malicious Ruby Gems that target developers that use Telegram for CI/CD notifications, as part of a recent surge in supply chain attacks on the open-source software industry.

Disguised as legitimate Fastlane plugins, fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram were published by a threat actor using aliases such as Bùi nam, buidanhnam, and si_mobile.

These gems exploit the urgency created by Vietnam’s nationwide block on Telegram in effect since May 21, 2025 by posing as proxy solutions to help circumvent the messaging ban.

Technical Details of the Attack

The attackers employed a near-perfect clone of the widely used fastlane-plugin-telegram gem, preserving its documentation, API, and most of its functionality.

However, they introduced a critical modification: the replacement of Telegram’s official API endpoint with a command-and-control (C2) domain under the attacker’s control (rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev).

Every message, bot token, chat ID, and file sent via the plugin is silently redirected through the rogue proxy.

According to the Socket Report, this enables the extraction of sensitive credentials including full-access Telegram bot tokens and interception of potentially confidential communications and CI/CD artifacts.

The deception is thorough; the plugins return valid Telegram API responses, masking their true behavior and evading static analysis and automated tests.

Because Fastlane is typically integrated into CI/CD workflows, the risk expands beyond chat data theft to broader compromise, including environment secrets, signing keys, and release binaries.

Strategic Timing

The attacker utilized typosquatting, intentionally introducing minor variations in gem names (such as “teleram” instead of “telegram” and the “-proxy” suffix) to blend malicious packages with legitimate ones.

Furthermore, they forked the official plugin repository and used their clone as the homepage for the malicious gem to strengthen credibility.

Timing played a pivotal role. The gems were published within days of the Vietnamese government’s Telegram ban, exploiting the predictable surge in developer demand for Telegram workarounds.

The campaign used Vietnamese-formatted author identities and targeted documentation, underscoring an intent to exploit both geopolitical events and user trust in open-source ecosystems.

While the campaign’s lure is tailored for Vietnam-based developers, the malicious code indiscriminately exfiltrates data from any environment it is installed in.

The malware lacks geofencing or locale-specific checks, thereby affecting any global user or organization that unknowingly adds these gems to their CI/CD pipelines.

The attacker’s strategic adaptation to current events demonstrates the dynamic threat that supply chain attacks pose to software development communities worldwide.

All organizations are urged to immediately remove both fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram from their environments, rotate any Telegram bot credentials used with these plugins, and audit the integrity of released build artifacts.

Additionally, network egress controls should be configured to block outbound connections to suspicious domains (notably *.workers[.]dev) unless absolutely necessary.

Ongoing monitoring of package repositories for typosquatted or suspicious updates remains essential to defend against the rapid evolution of supply chain threats.

Automated security tools, such as Socket’s detection suite, can assist by flagging hardcoded network redirects, identifying typosquatting, and highlighting suspicious package behavior during installation or code review.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates