Cybersecurity researchers have recently uncovered two malicious RubyGems packages that are currently posing as popular Fastlane CI/CD plugins. These deceptive packages are specifically designed to redirect legitimate Telegram API requests to various attacker-controlled servers for extensive data interception. RubyGems serves as the official package manager for the Ruby programming language, widely used for distributing and managing essential software libraries. The malicious packages actively intercept highly sensitive data, including unique chat IDs, detailed message content, any attached files, and even vital bot tokens. Socket researchers discovered this ongoing supply chain attack, promptly warning the entire Ruby developer community about the significant inherent risk.
Fastlane is a legitimate open-source automation tool extensively utilized by many mobile application developers for various critical software development tasks.
The legitimate ‘fastlane-plugin-telegram’ notably allows Fastlane to send important notifications over Telegram by using a specially configured Telegram bot. The malicious gems that were discovered by Socket researchers are nearly identical in appearance to this legitimate and trusted plugin. The crucial difference, however, involves swapping the legitimate Telegram API endpoint with the attacker’s specific proxy-controlled endpoint for illicit data interception.
This subtle but critical change ensures that sensitive information, such as valuable bot tokens and private messages, is surreptitiously intercepted by attackers.
The specific data actively stolen by these malicious RubyGems includes the valuable Telegram bot token, the actual message data itself, and any files uploaded. If any proxy credentials are configured by the unsuspecting user, these too are unfortunately compromised during this insidious attack process. The attacker thereby gains ample opportunity for further exploitation and achieves long-term persistence because Telegram bot tokens typically remain valid until manually revoked. Deceptively, the gems’ landing pages falsely claim the proxy does not store or modify any bot tokens, but Socket notes this cannot be verified. Cloudflare Worker scripts used by these attackers are not publicly visible, allowing threat actors to log or alter any data.
This incident clearly highlights a sophisticated supply chain attack where hackers upload tainted RubyGems to the official repository, cleverly masquerading as useful tools. Once installed by a developer, these malicious packages then silently scan the host system for Telegram API tokens and exfiltrate them. The attack’s notable technical sophistication lies in its use of obfuscated Ruby scripts and also encrypted communication channels, making detection very challenging. Developers who have inadvertently installed these malicious gems should remove them immediately, rebuild any mobile binaries, and importantly rotate all compromised bot tokens. Experts also strongly suggest blocking network traffic to ‘*.workers[.]dev’ unless it is explicitly needed for legitimate daily operations.
Reference:
