Risk may extend past the regional ban: The malicious packages (Gems) were published by the threat actor on May 24, 2025, three days after Vietnam’s Ministry of Information and Communications ordered a nationwide ban on Telegram and gave internet service providers until June 2 to report compliance.Apart from the timing, the aliases used by the threat actor also suggested a Vietnamese theme, along with the “Telegram proxy” hook used for marketing the gems. While seemingly targeted, the attack may still have impacts outside of the ban.”The operator, using Vietnamese-language aliases, pushed the gems days after Vietnam banned Telegram, but the code has no geofence, so any Fastlane pipeline that pulled the plugin was compromised,” Soroko explained.For potential targets, Boychenko recommended verifying Telegram proxies”, if they are looking for one”, by checking for open-source licensing, transparent author details, configurable endpoints (not silent, hardcoded replacements), and clear privacy and logging policies. Typosquatting dependencies remain a popular supply chain attack technique. Recently, attackers were found dropping over 60 malicious npm packages within two weeks to steal network information, a discovery also reported by Boychenko. Malicious actors have also begun a novel approach of exploiting AI hallucinations to carry out SlopSquatting attacks, publishing malicious packages with names that AI tools might incorrectly suggest to developers.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4002437/supply-chain-attack-hits-rubygems-to-steal-telegram-api-data.html
