Ddos 
A new supply chain attack has been uncovered by Socket’s Threat Research Team, targeting developers who create Telegram bots. The attack involves malicious npm packages that masquerade as legitimate Telegram bot libraries, delivering SSH backdoors and data exfiltration routines.
With over 1 billion monthly active users and more than 12 million paying subscribers, Telegram has become a powerful platform for bot developers. However, its unmoderated bot ecosystem—where “anyone can create and publish bots using the Bot API without a formal vetting process”—has opened the floodgates to abuse.
“Bot contests (prizes up to $50K) attract a flood of eager but often inexperienced developers,” the report states, adding that the lack of an official app store makes Telegram bots an easy target for supply chain infiltration.
Socket uncovered three malicious npm packages—node-telegram-utils, node-telegram-bots-api, and node-telegram-util—that imitate the widely trusted node-telegram-bot-api package (which has over 4.2 million downloads). These counterfeit libraries copied the README files and even linked to the legitimate GitHub repository, leveraging a technique known as starjacking to fake credibility.
Despite totaling only 300 downloads, the risk remains immense: “It only takes a single compromised environment to pave the way for wide-scale infiltration,” warned the researchers.
At the core of the attack is a hidden function called addBotId(), which is automatically invoked when the package constructor is called—without user interaction. If the operating system is detected as Linux, the function performs the following:
- Injects two SSH public keys into ~/.ssh/authorized_keys, ensuring persistent, passwordless access—even if one key is removed.
- Extracts external IP and username from the victim’s system.
- Sends the information to a malicious endpoint hosted on solana[.]validator[.]blog.
“Removing the package alone does not remove the injected SSH keys, leaving systems exposed to ongoing unauthorized access,” the report emphasizes,
The impact of this malware campaign is severe:
- Persistent server access via injected SSH keys.
- Sensitive data breaches through silent exfiltration.
- Potential full system compromise via remote code execution.
This attack is a clear reminder of how trusted development tools can become conduits for exploitation.
Socket recommends immediate defensive actions:
- Conduct regular dependency audits to identify malicious or tampered packages.
- Use automated security scanners like Socket’s AI-powered tools to detect threats before integration.
- Verify the legitimacy of open-source packages, especially those mimicking popular libraries.
“Attackers continue to demonstrate adaptability, leveraging trusted open source ecosystems like npm to distribute malware disguised as legitimate tools,” the team warned.
Related Posts:
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
- Malware on npm “Patches” Local Packages with Reverse Shell
- North Korean Cyberattacks Persist: Developers Targeted via npm
- Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
