An ongoing provide chain assault is focusing on the RubyGems ecosystem to publish malicious packages supposed to steal delicate Telegram knowledge.
Revealed by a risk actor utilizing a number of accounts below aliases Bùi nam, buidanhnam, and si_mobile, the malicious gems (ruby packages) pose as reliable Fastlane plugins and exfiltrate knowledge to an actor-controlled command and management (C2) server. Fastlane is a well-liked open-source instrument, used extensively in CI/CD pipelines, to automate constructing, testing, and releasing cellular apps (iOS and Android).
“Malicious actors make the most of the belief inherent in open-source environments by embedding dangerous code that may jeopardize programs, steal delicate data, or, on this case, misdirect crucial API site visitors,” mentioned Eric Schwake, director of cybersecurity technique at Salt Safety. “The identification of sure Ruby gems geared toward exfiltrating Telegram API tokens and messages highlights a big and ongoing danger to the software program provide chain.”
