Malicious RubyGems Packages Hijack Fastlane Telegram Plugins in Sophisticated Supply Chain Attack

In a new chapter of software supply chain compromise, security researchers have uncovered two malicious RubyGems packages masquerading as popular Fastlane plugins, silently rerouting sensitive Telegram data through attacker-controlled servers.

The incident, first reported by security startup Socket, underscores growing concerns about the trustworthiness of third-party development tools and the risks posed by typosquatting—a tactic where malicious actors mimic the names of legitimate packages to trick developers into downloading malware.

Hijacking the Dev Pipeline

Fastlane is a widely used open-source automation suite that streamlines continuous integration and delivery (CI/CD) for mobile apps. One of its legitimate extensions, fastlane-plugin-telegram, allows users to receive build and release notifications via Telegram bots.

But Socket's researchers discovered two counterfeit gems—fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram—that closely mirror the legitimate plugin's functionality and documentation. Despite appearing benign on the surface, the clones reroute Telegram API requests from https://api.telegram.org/ to an attacker-controlled proxy endpoint hosted on Cloudflare Workers: rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev.

This subtle redirect enables the attacker to intercept sensitive data such as bot tokens, chat IDs, message contents, and even uploaded files. If proxy credentials are used, those too are captured.

Because Telegram bot tokens are long-lived and not automatically rotated, any compromised tokens could allow persistent access and abuse until they are manually revoked.

Active and Live on RubyGems

Despite the threat, both packages remain publicly accessible:

• fastlane-plugin-telegram-proxy (287 downloads, published May 30, 2025)

• fastlane-plugin-proxy_teleram (133 downloads, published May 24, 2025)

Socket's report includes screenshots showing these fake gems appearing in RubyGems search results alongside legitimate packages, a key part of their effectiveness in luring developers.

"Cloudflare Worker scripts are not publicly visible, and the threat actor retains full ability to log, inspect, or alter any data in transit," Socket stated in its advisory. "The use of this proxy, combined with the typosquatting of a trusted Fastlane plugin, clearly indicates intent to exfiltrate tokens and message data under the guise of normal CI behavior."

The attacker’s refusal to publish the proxy code further masks the extent of potential data collection and manipulation.

Security Experts Sound the Alarm

Randolph Barr, Chief Information Security Officer at Cequence, emphasized the broader implications of this incident for API and software supply chain security.

"While the scope is currently limited to Telegram, this highlights a much broader issue around API security and software supply chain trust. It’s a clear example of how API communications—often assumed to be secure—can be intercepted if attackers successfully insert themselves through compromised dependencies," said Barr.

"A strong API security program starts with comprehensive API inventory—not just what’s documented, but what’s actually running in production, staging, and even in development environments. This should be combined with regular scanning to discover shadow APIs, unapproved integrations, and outdated dependencies. From there, controls like endpoint validation, API behavior monitoring, and token governance are critical to protecting sensitive interactions."

What Developers Should Do Now

Socket recommends that any developer who installed these malicious gems should:

• Immediately uninstall both packages.

• Rebuild all mobile binaries generated since the installation.

• Rotate any Telegram bot tokens used with Fastlane.

• Block outgoing traffic to domains ending in *.workers.dev unless absolutely necessary.

  
  

The discovery is a stark reminder that even a well-configured CI/CD pipeline can be compromised through third-party tools. As attackers continue to exploit trust in open-source ecosystems, developers must stay vigilant with dependency audits and maintain a proactive approach to both software hygiene and API governance.