A new supply chain attack has been discovered wherein typosquatted Telegram bot libraries deliver SSH backdoors and facilitate data exfiltration. The attack exploits Telegram’s open ecosystem and lack of a formal vetting process for bot creation, allowing malicious npm packages to masquerade as legitimate libraries. These packages perform unauthorized SSH key injections and data breaches, posing serious risks to developer infrastructures and user privacy. Affected: Telegram users, developers, software supply chains
Keypoints :
- The attack involves malicious npm packages posing as the popular node-telegram-bot-api library.
- Typosquatted packages have accumulated around 300 downloads, risking supply chain security.
- The malicious packages bury harmful code within seemingly legitimate library files.
- They install backdoors to enable persistent, unauthorized SSH access.
- Data exfiltration occurs via scripts that collect external IP addresses and usernames.
- There is an absence of formal vetting for Telegram bots, facilitating potential abuse.
- Attackers leverage trusted open source ecosystems to distribute disguised malware.
- Proactive security measures, including dependency audits and monitoring tools, are essential.
MITRE Techniques :
- T1195.002 — Supply Chain Compromise: Attack leverages the absence of vetting to compromise developer libraries.
- T1036.005 — Masquerading: Malicious packages use legitimate names to deceive developers.
- T1505.003 — Server Software Component: SSH Authorized Keys Modification: Attack modifies the authorized_keys file to grant persistent SSH access.
- T1567.002 — Exfiltration Over Web Service: The malware exfiltrates data over HTTP to malicious URLs.
Indicator of Compromise :
- [Malicious URL] solana[.]validator[.]blog
Full Story: https://socket.dev/blog/npm-malware-targets-telegram-bot-developers