Security researchers have identified three deceptive packages in the npm registry that pose as a legitimate Telegram bot library while secretly containing SSH backdoors and data theft capabilities.
The fraudulent packages—node-telegram-utils (132 downloads), node-telegram-bots-api (82 downloads), and node-telegram-util (73 downloads)—attempt to mimic the widely-used node-telegram-bot-api, which has over 100,000 weekly downloads. All three malicious packages remain available for download.
"While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorised data access," explains security researcher Kush Pandya from supply chain security firm Socket.
"Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers."
Sophisticated Deception Techniques
These malicious packages employ multiple tactics to appear legitimate:
- They duplicate the description of the genuine library
- They utilise a technique called starjacking—linking to the GitHub repository of the legitimate package to artificially boost their credibility and deceive developers
Technical Details of the Attack
Socket's investigation revealed that these packages specifically target Linux systems by:
- Adding two SSH keys to the "~/.ssh/authorized_keys" file, granting persistent remote access
- Collecting the system username and external IP address through "ipinfo[.]io/ip"
- Connecting to an external server ("solana.validator[.]blog") to confirm successful infection
What makes this threat particularly dangerous is that simply uninstalling the packages doesn't eliminate the risk—the inserted SSH keys continue to provide attackers with remote access for further exploitation and data exfiltration.
Related Threats
This discovery comes alongside Socket's report of another malicious package called @naderabdi/merchant-advcash, which creates a reverse shell connection to a remote server while masquerading as a Volet (formerly Advcash) integration.
"Unlike many malicious packages that execute code during installation or import, this payload is delayed until runtime, specifically, after a successful transaction," Socket noted. "This approach may help evade detection, as the malicious code only runs under specific runtime conditions."
Read more here
