An ongoing provide chain assault is concentrating on the RubyGems ecosystem to publish malicious packages supposed to steal delicate Telegram knowledge.
Printed by a risk actor utilizing a number of accounts underneath aliases Bùi nam, buidanhnam, and si_mobile, the malicious gems (ruby packages) pose as authentic Fastlane plugins and exfiltrate knowledge to an actor-controlled command and management (C2) server. Fastlane is a well-liked open-source instrument, used extensively in CI/CD pipelines, to automate constructing, testing, and releasing cell apps (iOS and Android).
“Malicious actors benefit from the belief inherent in open-source environments by embedding dangerous code that may jeopardize techniques, steal delicate info, or, on this case, misdirect important API site visitors,” mentioned Eric Schwake, director of cybersecurity technique at Salt Safety. “The identification of sure Ruby gems aimed toward exfiltrating Telegram API tokens and messages highlights a big and ongoing threat to the software program provide chain.”
