Rogue npm Packages Impersonate Telegram Bot API to Install SSH Backdoors on Linux Systems

Cybersecurity experts have discovered a new software supply chain threat involving three rogue npm packages that impersonate a widely-used Telegram Bot API library. These malicious packages are engineered to deploy SSH backdoors and exfiltrate sensitive data on Linux-based systems.

📦 Malicious Packages Identified:

node-telegram-utils (132 downloads)
node-telegram-bots-api (82 downloads)
node-telegram-util (73 downloads)


These packages imitate the trusted node-telegram-bot-api, a legitimate Node.js Telegram bot library that boasts over 100,000 weekly downloads on npm.

 

"While the download numbers may seem small, it only takes one compromised environment to create a massive security breach," said Kush Pandya, a security researcher at supply chain protection firm Socket.

 

"Even a few installations can result in widespread exploitation—especially when attackers gain direct access to developer machines or production servers."

🛑 Starjacking: A Deceptive Tactic for Open Source Abuse

These packages are particularly deceptive due to a technique known as starjacking, where the malicious libraries link to the GitHub repository of the legitimate package to falsely appear reputable. Since npm doesn’t currently verify GitHub links, attackers exploit this to boost credibility and trick developers.

🐧 Targeted Attack on Linux Systems with SSH Backdoor Insertion

According to Socket's investigation, these npm libraries are tailored to compromise Linux environments. Upon installation, they:

Add two SSH public keys to the ~/.ssh/authorized_keys file

Enable persistent remote access to the affected system

Collect system data including username and public IP address (via ipinfo[.]io/ip)

Contact a remote command-and-control (C2) server (solana.validator[.]blog) for infection confirmation

🔐 Stealthy Persistence Even After Package Removal

A major concern is that uninstalling the rogue packages doesn’t neutralize the threat. The SSH keys remain active, allowing attackers continuous access to the compromised server, leading to potential code execution, lateral movement, and data theft.

💥 Related Threat: Malicious npm Package with Reverse Shell Payload

In a related disclosure, Socket also flagged another dangerous npm package:

@naderabdi/merchant-advcash
This library poses as a cryptocurrency payment integration tool but is actually designed to launch a reverse shell to an attacker-controlled server upon a successful transaction.

 

"Unlike many malicious packages that execute during installation, this one waits until runtime, making detection harder," Socket noted.

 

"The backdoor only activates upon a payment success callback, cleverly disguising its true behavior."

🔍 Key Takeaways and Security Best Practices

Always verify npm package sources and cross-check GitHub repositories.

Use tools like Socket, Snyk, or npm audit to scan dependencies.

Monitor ~/.ssh/authorized_keys for unauthorized changes.

Avoid installing packages with low download counts and suspicious naming patterns.