A new supply chain attack has surfaced in the Ruby ecosystem, targeting developers who use the Fastlane automation tool for mobile app deployment. Two malicious RubyGems packages have been found redirecting Telegram API traffic through attacker-controlled proxies, enabling the theft of sensitive bot-related data.
The discovery was made by security researchers at Socket, who have issued a warning to the developer community about this targeted impersonation of Fastlane’s notification capabilities.
Telegram Bot Tokens and Developer Data Exfiltrated via Proxy
The two rogue gems were uploaded to RubyGems under names that closely resemble legitimate Fastlane plugins:
fastlane-plugin-telegram-proxy(published May 30, 2025 – 287 downloads)fastlane-plugin-proxy_teleram(published May 24, 2025 – 133 downloads)
These packages mimic the original Fastlane Telegram plugin, which is used by mobile developers to send build and deployment notifications to Telegram channels. In most respects, the malicious versions appear identical to the official gem, replicating its API structure, documentation, and usage behavior.
However, instead of sending data to the legitimate https://api.telegram.org/ endpoint, the malicious gems quietly reroute it to a proxy server controlled by the attacker:
rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev
From the project description
Source: Socket
This proxy captures all outgoing traffic, including:
- Telegram bot tokens
- Chat messages and metadata
- Uploaded files
- Proxy configuration credentials (if used)
According to Socket, once an attacker has access to a bot token, they can hijack the Telegram bot indefinitely—unless the victim manually revokes the token.
Attackers Use Cloudflare Workers to Obfuscate Proxy Behavior
The proxy infrastructure is deployed using Cloudflare Workers, which operate as serverless scripts. Socket points out a critical problem with this setup:
“Cloudflare Worker scripts are not publicly visible, and the threat actor retains full ability to log, inspect, or alter any data in transit.”
The attacker has not published the source code for the proxy, leaving no way to confirm whether or not the data is stored or manipulated—despite a statement on the gem’s page that the proxy “does not store or modify your bot tokens.”
Socket states clearly:
“The use of this proxy, combined with the typosquatting of a trusted Fastlane plugin, clearly indicates intent to exfiltrate tokens and message data under the guise of normal CI behavior.”
Urgent Steps Developers Must Take
Developers who have installed either of the two compromised RubyGems should take immediate action:
- Uninstall the malicious gems
- Rebuild all mobile binaries created after installation
- Rotate all Telegram bot tokens used with Fastlane
Additionally, Socket advises organizations to block outbound traffic to *.workers[.]dev unless explicitly required. This can reduce exposure to further misuse of cloud-based proxy infrastructure.
As supply chain attacks increasingly target developer tools and CI/CD environments, this incident serves as another reminder that even small plugins can become entry points for widespread compromise.
