Introduction
A concerning new type of supply chain attack has emerged, targeting Linux developers working with the Telegram bot ecosystem.
Discovered in early 2025, multiple malicious npm packages disguised themselves as legitimate Telegram bot libraries to provide SSH backdoors and steal sensitive data from unsuspecting developers.
These domain-squatted packages accumulated approximately 300 downloads over several months; although the installation numbers were relatively low, they posed a significant security threat.
The attack specifically targeted the widely used node-telegram-bot-api library, which has been downloaded over 4.17 million times.
Malicious variants such as node-telegram-utils, node-telegram-bots-api, and node-telegram-util appeared almost identical to legitimate packages, replicating their documentation, functionality, and even linking back to the real GitHub repository with over 19,000 stars to enhance credibility and deceive developers.
Researchers at Socket.dev discovered that these packages implemented a sophisticated “starjacking” technique, linking their homepage back to legitimate GitHub repositories to borrow the original project’s reputation for trust.
This deception made the malicious packages particularly difficult to identify during casual inspections, as they displayed the same star count as the legitimate libraries.
Once installed in a Linux environment, the malicious packages automatically execute a hidden function during the constructor call using addBotId().
This function performs a platform check, and if it detects Linux, it continues executing its malicious payload without any user interaction.
The attack specifically targets developer environments that frequently install npm packages during project setup or maintenance.
The key feature of this malware is its SSH backdoor implementation.
When executed on Linux systems, the malicious code modifies the ~/.ssh/authorized_keys file by adding attacker-controlled SSH keys, creating a persistent access channel that remains effective even after the package is removed.
The code not only injects multiple SSH keys for redundant access but also leaks the victim’s IP address and username to a command and control server at solana[.]validator[.]blog, allowing the attacker to enumerate infected systems for further exploitation or data theft.
Technical Report:
https://socket.dev/blog/npm-malware-targets-telegram-bot-developers
News Link:
https://cybersecuritynews.com/malicious-npm-packages-attacking-linux-developers/
Scan to follow
Military Brother Cybersecurity News
Telling security stories that ordinary people can understand