Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities.
The packages in question are listed below –
According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api, a popular Node.js Telegram Bot API with over 100,000 weekly downloads. The three libraries are still available for download.
“While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access,” security researcher Kush Pandya said.
“Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers.”
The rogue packages not only replicate the description of the legitimate library, but also leverage a technique called starjacking in a bid to elevate the authenticity and trick unsuspecting developers into downloading them.
Starjacking refers to an approach where an open-source package is made to be more popular than it is by linking the GitHub repository associated with the legitimate library. This typically takes advantage of the non-existing validation of the relation between the package and the GitHub repository.
Socket’s analysis found that the packages are designed to explicitly work on Linux systems, adding two SSH keys to the “~/.ssh/authorized_keys” file, thus granting the attackers persistent remote access to the host.
The script is designed to collect the system username and the external IP address by contacting “ipinfo[.]io/ip.” It also beacons out to an external server (“solana.validator[.]blog”) to confirm the infection.
What makes the packages sneaky is that removing them does not completely eliminate the threat, as the inserted SSH keys grant unfettered remote access to the threat actors for subsequent code execution and data exfiltration.
The disclosure comes as Socket detailed another malicious package named @naderabdi/merchant-advcash that’s engineered to launch a reverse shell to a remote server while disguising as a Volet (formerly Advcash) integration.
“The package @naderabdi/merchant-advcash contains hardcoded logic that opens a reverse shell to a remote server upon invocation of a payment success handler,” the company said. “It is disguised as a utility for merchants to receive, validate, and manage cryptocurrency or fiat payments.”
“Unlike many malicious packages that execute code during installation or import, this payload is delayed until runtime, specifically, after a successful transaction. This approach may help evade detection, as the malicious code only runs under specific runtime conditions.”
