Full Report
Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities. The packages in question are listed below - node-telegram-utils (132 downloads) node-telegram-bots-api (82 downloads) node-telegram-util (73 downloads) According to supply chain
Analysis Summary
# Tool/Technique: Rogue npm Packages Mimicking Telegram Bot API
## Overview
This refers to a series of malicious packages discovered in the npm registry designed to steal credentials and establish persistent remote access by mimicking a legitimate and popular Node.js Telegram Bot API library (`node-telegram-bot-api`). The primary infection vector targets developers using Linux systems.
## Technical Details
- Type: Malware (via Malicious Package/Library)
- Platform: Linux
- Capabilities: SSH backdoor installation, IP address harvesting, data exfiltration setup, persistent remote access.
- First Seen: Information unavailable in the provided text, but the article is dated April 19, 2025.
## MITRE ATT&CK Mapping
The activity primarily aligns with Supply Chain Compromise and establishing Persistence/Command and Control.
- **TA0001 - Initial Access**
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- **TA0003 - Persistence**
- T1556 - Authentication Bypass (Using SSH keys for access)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implicit communication for beaconing)
- **TA0009 - Collection**
- T1005 - Data from Local System (Gaining shell access allows for further collection)
## Functionality
### Core Capabilities
- **Impersonation:** Masquerades as legitimate npm packages (`node-telegram-utils`, `node-telegram-bots-api`, `node-telegram-util`) to deceive developers.
- **Starjacking:** Utilizes "starjacking" to artificially increase the perceived popularity of the rogue package by linking to the legitimate package's GitHub repository, thereby increasing trust.
- **SSH Backdoor Installation:** Explicitly targets Linux systems, adding two attacker-controlled SSH keys to the `~/.ssh/authorized_keys` file for persistent remote access.
### Advanced Features
- **Persistent Access:** Crucially, the persistence mechanism (SSH keys) remains even if the malicious npm package is removed, granting long-term access.
- **Information Gathering:** Collects the system username and the external IP address by querying "ipinfo[.]io/ip".
- **C2 Beaconing:** Attempts to confirm successful infection by beaconing out to an external server.
## Indicators of Compromise
- File Hashes: [N/A in provided text]
- File Names: Rogue packages include `node-telegram-utils`, `node-telegram-bots-api`, and `node-telegram-util`.
- Registry Keys: [N/A in provided text]
- Network Indicators:
- Info Gathering: `ipinfo[.]io/ip` (defanged)
- C2 Beaconing: `solana[.]validator[.]blog` (defanged)
- Behavioral Indicators: Writing SSH public keys to `~/.ssh/authorized_keys` on Linux hosts; network connection to external IP information endpoints.
## Associated Threat Actors
- Based on the article, the actors are currently anonymous, discovered by the security firm Socket.
## Detection Methods
- **Signature-based detection:** Signatures against the specific malicious package names in the npm registry.
- **Behavioral detection:** Monitoring for processes attempting to write unauthorized SSH keys to user home directories (`~/.ssh/authorized_keys`).
- **Network Detection:** Monitoring outbound connections to known C2 beacons (e.g., `solana[.]validator[.]blog`) or suspicious queries to metadata/IP information services.
## Mitigation Strategies
- **Dependency Verification:** Implement robust checks to verify the legitimacy and source of third-party dependencies, especially when package names are similar to popular projects (typosquatting/impersonation defense).
- **Scrutinize Installation Scripts:** Be wary of packages that exhibit unusual execution behavior during installation or import (though these specific packages relied on SSH key persistence rather than execution on import).
- **Principle of Least Privilege:** Ensure development/CI/CD environments operate with minimal necessary privileges to limit the impact of supply chain compromises.
- **SSH Hardening:** Regularly audit `~/.ssh/authorized_keys` files for unexpected additions.
## Related Tools/Techniques
- **Starjacking:** The specific technique used to boost the apparent popularity of the package.
- **Malicious Packages targeting Telegram/API libraries:** Similar incidents involving credential or backdoor installation through dependency confusion or typosquatting in ecosystem registries (npm, PyPI, RubyGems).
- **[@naderabdi/merchant-advcash]:** Another malicious npm package mentioned in the context that establishes a reverse shell.