Summary: Three malicious packages have been discovered in the npm registry, masquerading as a popular Telegram bot library, which contain SSH backdoors and data exfiltration capabilities. The packages are designed to replicate the legitimate node-telegram-bot-api and utilize a technique called starjacking to deceive developers. Their installation not only compromises user systems but also ensures persistent access for attackers through inserted SSH keys, even if the packages are removed.
Affected: npm registry, node-telegram-bot-api users
Keypoints :
- Malicious packages mimic node-telegram-bot-api with over 100,000 weekly downloads.
- Designed to work on Linux systems, they add SSH keys for persistent remote access.
- Another malicious package, @naderabdi/merchant-advcash, opens a reverse shell upon payment success while disguised as a legitimate utility.
Source: https://thehackernews.com/2025/04/rogue-npm-packages-mimic-telegram-bot.html