An ongoing supply chain attack is targeting the RubyGems ecosystem to publish malicious packages intended to steal sensitive Telegram data.
Published by a threat actor using multiple accounts under aliases Bùi nam, buidanhnam, and si_mobile, the malicious gems (ruby packages) pose as legitimate Fastlane plugins and exfiltrate data to an actor-controlled command and control (C2) server. Fastlane is a popular open-source tool, used extensively in CI/CD pipelines, to automate building, testing, and releasing mobile apps (iOS and Android).
“Malicious actors take advantage of the trust inherent in open-source environments by embedding harmful code that can jeopardize systems, steal sensitive information, or, in this case, misdirect critical API traffic,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “The identification of certain Ruby gems aimed at exfiltrating Telegram API tokens and messages highlights a significant and ongoing risk to the software supply chain.”
