Fake Telegram Bot Libraries Unleash SSH Backdoors on Linux via npm
Developers beware! Security researchers have discovered a trio of malicious packages lurking in the npm repository, disguised as legitimate Telegram bot libraries. These imposters secretly install SSH backdoors on Linux systems and siphon off sensitive data, posing a serious threat to developers and their projects.
Cybersecurity researchers have just uncovered three sneaky packages lurking in the npm registry. These packages are pretending to be a popular Telegram bot library, but they're actually packing SSH backdoors and stealing data.
Here's a rundown of the malicious packages:
- node-telegram-utils (132 downloads)
- node-telegram-bots-api (82 downloads)
- node-telegram-util (73 downloads)
According to Socket, a supply chain security firm, these fake libraries are trying to mimic node-telegram-bot-api, a legitimate and widely used Node.js Telegram Bot API. Even though the download numbers seem low, don't underestimate the risk!
Security researcher Kush Pandya warns, "It only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access." He emphasizes that "even a handful of installs can have catastrophic repercussions," especially if attackers gain access to developer systems.
These rogue packages aren't just copying the legitimate library's description. They're also using a trick called starjacking to appear more trustworthy. This involves linking to the legitimate library's GitHub repository to boost their perceived popularity.
Basically, they're exploiting the lack of validation between the package and the GitHub repository to trick developers.
Socket's investigation revealed that these packages specifically target Linux systems. They add two SSH keys to the "~/.ssh/authorized_keys" file, giving attackers persistent remote access.
The malicious script also grabs the system username and external IP address by contacting "ipinfo[.]io/ip" and then "phones home" to an external server at "solana.validator[.]blog" to confirm the infection.
Here's the scary part: simply removing the packages doesn't solve the problem. The inserted SSH keys allow the attackers to maintain remote access for future attacks and data theft.
In related news, Socket also uncovered another malicious package called @naderabdi/merchant-advcash. This one launches a reverse shell to a remote server, disguising itself as a Volet (formerly Advcash) integration.
According to Socket, "@naderabdi/merchant-advcash" includes hidden code that opens a reverse shell upon a successful payment transaction. It's designed to look like a legitimate tool for managing cryptocurrency or fiat payments.
What makes this package particularly dangerous is that the malicious code doesn't run until a successful transaction occurs. This delayed execution can help it avoid detection.
