Malicious RubyGems pose as Fastlane to steal Telegram API data

Two malicious RubyGems packages posing as popular Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal data. RubyGems is the official package manager for the Ruby programming language, used for distributing, installing, and managing Ruby libraries (gems), similar to npm for JavaScript and PyPI for Python. The packages intercept sensitive data, including chat IDs and message content, attached files, proxy credentials, and even bot tokens that can be used for hijacking Telegram bots. The supply chain attack was discovered by Socket researchers, who warned the Ruby developers community about the risk via a report. The two packages that typosquat Fastlane are still live on RubyGems under the following names: fastlane-plugin-telegram-proxy : Published on May 30, 2025, has 287 downloads : Published on May 30, 2025, has 287 downloads fastlane-plugin-proxy_teleram: Published on May 24, 2025, has 133 downloads Fast lane to data theft ... Read full article.