Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems. The findings come from multiple reports published by Checkmarx, ReversingLabs, Safety, and Socket in recent weeks. The list of identified packages across these platforms are listed below – Socket noted that the two malicious gems were published by a threat actor under the aliases Bùi nam, buidanhnam, and si_mobile merely days after Vietnam ordered a nationwide ban on the Telegram messaging app late last month for allegedly not cooperating with the government to tackle illicit activities related to fraud, drug trafficking, and terrorism. "These gems silently exfiltrate all data sent to the Telegram API by redirecting traffic through a command-and-control (C2) server controlled by the threat actor," Socket researcher Kirill Boychenko said. "This includes bot tokens, chat IDs, message content, and attached files." The software supply chain security company said the gems are "near-identical clones" of the legitimate Fastlane plugin "fastlane-plugin-telegram," a widely used library to send deployment notifications to Telegram channels from CI/CD pipelines. The malicious change introduced by the threat actor tweaks the network endpoint used to send and receive…Read More