An ongoing provide chain assault is focusing on the RubyGems ecosystem to publish malicious packages meant to steal delicate Telegram information.
Revealed by a menace actor utilizing a number of accounts beneath aliases Bùi nam, buidanhnam, and si_mobile, the malicious gems (ruby packages) pose as authentic Fastlane plugins and exfiltrate information to an actor-controlled command and management (C2) server. Fastlane is a well-liked open-source device, used extensively in CI/CD pipelines, to automate constructing, testing, and releasing cellular apps (iOS and Android).
“Malicious actors reap the benefits of the belief inherent in open-source environments by embedding dangerous code that may jeopardize programs, steal delicate data, or, on this case, misdirect vital API site visitors,” mentioned Eric Schwake, director of cybersecurity technique at Salt Safety. “The identification of sure Ruby gems geared toward exfiltrating Telegram API tokens and messages highlights a major and ongoing danger to the software program provide chain.”
