The malicious npm package koishi-plugin-pinhaofa embeds a data-exfiltration backdoor in Koishi chatbots, stealing sensitive information by detecting and forwarding messages containing eight-character hexadecimal strings to a hardcoded QQ account. This supply chain attack exploits the trusted runtime environment of Koishi plugins, impacting chatbot security and potentially exposing sensitive user data. #Koishi #npm #Chatbots
Keypoints
- The koishi-plugin-pinhaofa npm package masquerades as a spelling-autocorrect helper but secretly scans messages for eight-character hexadecimal strings and sends the full message to a hardcoded QQ account (1821181277).
- Eight-character hexadecimal triggers commonly represent sensitive elements like Git commit hashes, JWT tokens, checksum values, or device identifiers which can reveal critical system secrets.
- Because Koishi plugins run within the bot process with unrestricted access to all messages, the backdoor can exfiltrate data silently without database access or additional dependencies.
- The malicious package was published by an attacker using the npm alias “kuminfennel” and remains live on both the npm registry and a corresponding GitHub repository.
- This attack vector exploits common developer practices of installing plugins without full code review and trading on the trust inherent in the Koishi framework’s plugin system.
- The exfiltrated data is sent via the same chat protocol, blending into normal traffic and evading typical network filters and endpoint defenses.
- Experts recommend isolating bots in containers with restricted outbound messaging and using automated security tools like Socket’s GitHub app and CLI to detect malicious packages before deployment.
MITRE Techniques
- [T1195.002] Supply Chain Compromise – The malicious npm package compromises the software supply chain by embedding a backdoor in a community plugin distributed via npm (‘koishi-plugin-pinhaofa attaches silently to Koishi’s message stream’).
- [T1059.007] Command and Scripting Interpreter: JavaScript – The backdoor executes JavaScript code within the bot runtime to monitor messages and exfiltrate data (‘ctx.on(“message”, (session) => {…}’).
- [T1078] Valid Accounts – The threat actor abuses a valid QQ user account (UIN 1821181277) to receive stolen information stealthily (‘forwards the full message to QQ UIN 1821181277’).
- [T1567] Exfiltration Over Web Service – Data is exfiltrated through the QQ messaging platform, leveraging normal bot communication channels to evade detection (‘exfiltrate complete message text… session.bot.sendPrivateMessage’).
Indicators of Compromise
- [Malicious Package] npm package koishi-plugin-pinhaofa – a backdoor-infected plugin available on npm used for data exfiltration.
- [Account] QQ user ID 1821181277 – the hardcoded recipient for stolen messages in the attack.
- [Alias and Email] npm alias “kuminfennel” and registration email 1821181277@qq[.]com – associated threat actor identifiers.
- [Repository] GitHub repository hxxps://github[.]com/1821181277 – hosts the malicious plugin’s source code.
Read more: https://socket.dev/blog/malicious-koishi-chatbot-plugin