Malicious npm Packages Disguised as Telegram Bot Library Found with SSH Backdoors and Data Exfiltration Capabilities

Cybersecurity experts have recently uncovered a set of malicious npm packages hiding within the vast ecosystem of open-source libraries. These packages, designed to masquerade as a legitimate Telegram bot library, were discovered to harbor dangerous SSH backdoors and capabilities for data exfiltration. With thousands of developers relying on npm to install dependencies, this discovery is a stark reminder of the risks present within the open-source supply chain.

The three packages in question—node-telegram-utils, node-telegram-bots-api, and node-telegram-util—might appear to be innocuous, but they conceal severe vulnerabilities. These packages target developers who might mistake them for the widely used node-telegram-bot-api, a library boasting over 100,000 downloads per week. Despite their relatively modest download numbers, these malicious packages can potentially lead to catastrophic breaches if they find their way into even a single compromised development environment.

Overview of the Malicious Packages

– node-telegram-utils: 132 downloads

– node-telegram-bots-api: 82 downloads

– node-telegram-util: 73 downloads

These packages were specifically crafted to mimic node-telegram-bot-api, which is a widely trusted Node.js library for building Telegram bots. The malicious libraries not only share the same description as the legitimate package but also deploy a technique known as “starjacking.” This strategy involves linking the GitHub repository of the legitimate project to elevate the appearance of popularity, thus luring developers into downloading the trojanized versions.

According to Socket, a supply chain security firm, the packages were designed with Linux systems in mind. Once installed, they modify the system’s SSH configuration by adding two SSH keys to the “~/.ssh/authorized_keys” file, thus granting attackers persistent remote access. These keys allow for undetected backdoor entry, enabling attackers to remotely execute code, exfiltrate data, or even deploy additional malicious payloads.

Additionally, the script within these malicious packages collects system information, including the username and external IP address, and then communicates with an external server to confirm the system’s compromise. The attackers also use this communication to beacon out and validate the success of the infection.

The Sneaky Nature of the Attack

What makes these packages particularly dangerous is that simply removing them does not remove the threat entirely. The inserted SSH keys provide persistent remote access to attackers, allowing them to re-enter the system at will and continue their operations undetected. This level of persistence is difficult to eradicate unless the SSH keys are manually removed and all traces of the infection are thoroughly cleansed from the system.

This discovery follows another recent finding by Socket, which revealed a malicious package named @naderabdi/merchant-advcash. This package masquerades as a legitimate Volet integration for managing cryptocurrency or fiat payments but contains hardcoded logic that opens a reverse shell to a remote server after a successful transaction. Unlike many malicious packages that execute during installation, this one only triggers after specific runtime conditions are met, making it harder to detect during the installation phase.

What Undercode Says:

The fact that these malicious packages have evaded detection by unsuspecting developers for so long highlights significant gaps in the security mechanisms within the npm ecosystem. Developers often rely on community-driven repositories like npm, GitHub, and others to save time and resources by incorporating widely-used packages. Unfortunately, this trust can be exploited by malicious actors who are aware of how easy it is to mimic the names and descriptions of legitimate libraries.

A critical takeaway from this incident is the importance of verifying the authenticity of each package, especially when it comes to popular dependencies. The attackers’ use of starjacking to artificially inflate the popularity of their malicious libraries is a tactic that shows how attackers are becoming increasingly sophisticated at blending in with legitimate projects. This strategy leverages the trust developers place in package popularity and can easily deceive even the most vigilant among them.

Additionally, the fact that these trojanized packages primarily targeted Linux systems is a reminder that security practices must account for all environments where code is executed. Developers should ensure their systems are up-to-date with the latest security patches, use tools to scan dependencies for vulnerabilities, and be cautious about the packages they install—especially when working with less familiar or less popular libraries.

This incident also highlights the growing need for improved supply chain security and developer education. Attackers are increasingly targeting the developer ecosystem itself, making it essential for everyone involved in software development—from individual programmers to large organizations—to adopt best practices for securing their supply chains.

Security firms and open-source platforms like npm and GitHub must also step up their efforts to monitor and verify the integrity of packages in their ecosystems. This might involve more robust vetting processes for new packages, as well as continuous monitoring for suspicious behavior or anomalies.

Fact Checker Results:

The malicious npm packages listed are indeed present in the npm registry, and their description mimics that of a legitimate library.
These packages target Linux systems by inserting SSH keys, providing attackers with remote access.
Starjacking is confirmed as a technique used to artificially inflate the legitimacy of the malicious packages.