One Character in the Name — and Your Telegram Bot Works for Hackers Now
Messages went out as usual… just not where you expected.
Messages went out as usual… just not where you expected.
Two malicious RubyGems packages, disguised as popular Fastlane plugins, have been caught rerouting requests to the Telegram API through attacker-controlled servers — effectively intercepting and stealing developer data. The attack targets the CI/CD (Continuous Integration and Delivery) process, making it particularly dangerous for mobile development teams.
Fastlane is an open-source automation tool for mobile app development, widely used to build, sign, and publish apps, send notifications, and manage metadata. One of its popular plugins, fastlane-plugin-telegram, allows teams to send pipeline status alerts via a Telegram bot — enabling developers to stay informed of build events without constant manual monitoring.
The malicious packages, named fastlane-plugin-telegram-proxy (published on May 30, 2025, with 287 downloads) and fastlane-plugin-proxy_teleram (published on May 24, 2025, with 133 downloads), were identified by the security team at Socket. These packages closely mimicked the legitimate plugin in structure, documentation, and public API. However, the key difference was a subtle but critical one: they replaced the official Telegram API endpoint (https://api.telegram.org/) with a proxy server controlled by the attacker:
rough-breeze-0c37[.]buidanhnam95[.]workers[.]dev.
This redirection allowed the attacker to silently intercept all data sent through Telegram:
- message content
- chat IDs
- attached files
- proxy configurations
- and — most critically — Telegram bot tokens
These tokens remain valid until manually revoked, enabling attackers to retain control over bots long after the malicious plugin has been removed.
The attackers claimed in the package description that their proxy “does not store tokens or messages.” However, this is unverifiable, as the attack relies on Cloudflare Workers, whose underlying scripts remain hidden from public inspection. As Socket's researchers note, attackers could easily log, alter, or analyze the data flowing through the proxy.
These fake plugins were enabled by a classic typosquatting technique — using names that are nearly identical to the real plugin, causing them to appear in RubyGems search results and potentially tricking developers into downloading them by mistake.
What Developers Should Do Now:
- Immediately remove the malicious packages if installed:
- fastlane-plugin-telegram-proxy
- fastlane-plugin-proxy_teleram
- Rebuild all binaries created after installing either plugin.
- Revoke and regenerate all Telegram bot tokens used with Fastlane.
- As a preventive step, block access to *.workers.dev domains unless absolutely required in your infrastructure.
This incident is a reminder of how a single character can be the difference between a trusted tool and a supply chain breach.
