Security researchers have identified three deceptive packages in the npm registry that pose as a legitimate Telegram bot library while secretly containing SSH backdoors and data theft capabilities.
The fraudulent packages—node-telegram-utils (132 downloads), node-telegram-bots-api (82 downloads), and node-telegram-util (73 downloads)—attempt to mimic the widely-used node-telegram-bot-api, which has over 100,000 weekly downloads. All three malicious packages remain available for download.
"While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorised data access," explains security researcher Kush Pandya from supply chain security firm Socket.
"Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers."
These malicious packages employ multiple tactics to appear legitimate:
Socket's investigation revealed that these packages specifically target Linux systems by:
What makes this threat particularly dangerous is that simply uninstalling the packages doesn't eliminate the risk—the inserted SSH keys continue to provide attackers with remote access for further exploitation and data exfiltration.
This discovery comes alongside Socket's report of another malicious package called @naderabdi/merchant-advcash, which creates a reverse shell connection to a remote server while masquerading as a Volet (formerly Advcash) integration.
"Unlike many malicious packages that execute code during installation or import, this payload is delayed until runtime, specifically, after a successful transaction," Socket noted. "This approach may help evade detection, as the malicious code only runs under specific runtime conditions."