Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems

Avatar
Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities. The packages in question are listed below – node-telegram-utils (132 downloads) node-telegram-bots-api (82 downloads) node-telegram-util (73 downloads) According to supply chain
[[{“value”:”

Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities.

The packages in question are listed below –

node-telegram-utils (132 downloads)
node-telegram-bots-api (82 downloads)
node-telegram-util (73 downloads)

According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api, a popular Node.js Telegram Bot API with over 100,000 weekly downloads. The three libraries are still available for download.

“While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access,” security researcher Kush Pandya said.

“Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers.”

The rogue packages not only replicate the description of the legitimate library, but also leverage a technique called starjacking in a bid to elevate the authenticity and trick unsuspecting developers into downloading them.

Starjacking refers to an approach where an open-source package is made to be more popular than it is by linking the GitHub repository associated with the legitimate library. This typically takes advantage of the non-existing validation of the relation between the package and the GitHub repository.

Socket’s analysis found that the packages are designed to explicitly work on Linux systems, adding two SSH keys to the “~/.ssh/authorized_keys” file, thus granting the attackers persistent remote access to the host.

The script is designed to collect the system username and the external IP address by contacting “ipinfo[.]io/ip.” It also beacons out to an external server (“solana.validator[.]blog”) to confirm the infection.

What makes the packages sneaky is that removing them does not completely eliminate the threat, as the inserted SSH keys grant unfettered remote access to the threat actors for subsequent code execution and data exfiltration.

The disclosure comes as Socket detailed another malicious package named @naderabdi/merchant-advcash that’s engineered to launch a reverse shell to a remote server while disguising as a Volet (formerly Advcash) integration.

“The package @naderabdi/merchant-advcash contains hardcoded logic that opens a reverse shell to a remote server upon invocation of a payment success handler,” the company said. “It is disguised as a utility for merchants to receive, validate, and manage cryptocurrency or fiat payments.”

“Unlike many malicious packages that execute code during installation or import, this payload is delayed until runtime, specifically, after a successful transaction. This approach may help evade detection, as the malicious code only runs under specific runtime conditions.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

ASUS Confirms Critical Flaw in AiCloud Routers; Users Urged to Update Firmware

Next Post

APT29 Deploys GRAPELOADER Malware Targeting European Diplomats Through Wine-Tasting Lures

Related Posts

Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability

Citrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions. The vulnerability, tracked as CVE-2024-12284, has been given a CVSS v4 score of 8.8 out of a maximum of 10.0 It has been described as a case of improper privilege management that could
Avatar
Read More