Ethical Hacking News
Rogue npm packages have been discovered that mimic popular libraries but harbor malicious code. These packages can plant SSH backdoors on Linux systems, granting attackers persistent remote access. The discovery highlights the growing concern for Linux system security and serves as a stark reminder of the importance of vigilance in the cybersecurity landscape.
Nine malicious npm packages have been discovered, masquerading as legitimate libraries. The packages plant SSH backdoors on Linux systems, granting attackers persistent remote access. Three specific packages, node-telegram-utils, node-telegram-bots-api, and node-telegram-util, have garnered significant downloads. The malicious code collects system information and sends it to external servers to confirm the infection. A handful of infected installs can have catastrophic repercussions due to direct access to developer systems or production servers. Another package, @naderabdi/merchant-advcash, launches a reverse shell to a remote server disguised as a Volet integration.
In a recent discovery, cybersecurity researchers at Socket have unearthed three malicious npm packages that masquerade as legitimate libraries, specifically the popular Telegram bot API. These rogue packages are designed to mimic the functionality and description of the legitimate library, thereby tricking unsuspecting developers into downloading them. The nefarious plan behind these packages is to plant SSH backdoors on Linux systems, which would grant the attackers persistent remote access to the host.
The three malicious packages in question are node-telegram-utils, node-telegram-bots-api, and node-telegram-util, all of which have garnered a significant number of downloads. According to supply chain security firm Socket, these packages replicate the description of the legitimate library, node-telegram-bot-api, which boasts over 100,000 weekly downloads. The malicious libraries are designed to work on Linux systems, adding two SSH keys to the "~/.ssh/authorized_keys" file, thus granting the attackers unfettered remote access to the host.
The script that comes with these packages is designed to collect system information, including the username and external IP address, by contacting an external server called "ipinfo[.]io/ip." This information is then beacons out to another external server called "solana.validator[.]blog" to confirm the infection. The malicious code also contains hardcoded logic that opens a reverse shell to a remote server upon invocation of a payment success handler. This approach may help evade detection, as the malicious code only runs under specific runtime conditions.
The discovery of these rogue npm packages highlights the growing concern for Linux system security. Cybersecurity researchers stress the importance of supply chain security incidents, emphasizing that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers.
Furthermore, Socket's analysis revealed another malicious package named @naderabdi/merchant-advcash, which is engineered to launch a reverse shell to a remote server while disguising as a Volet (formerly Advcash) integration. This package contains hardcoded logic that opens a reverse shell to a remote server upon invocation of a payment success handler.
This discovery serves as a stark reminder of the importance of vigilance in the cybersecurity landscape. As developers continue to rely on open-source packages, it is crucial that they remain vigilant and take steps to ensure the security of their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/Rogue-NPM-Packages-Lure-Developers-into-a-Web-of-Deceit-A-Growing-Concern-for-Linux-System-Security-ehn.shtml
https://thehackernews.com/2025/04/rogue-npm-packages-mimic-telegram-bot.html
https://undercodenews.com/malicious-npm-packages-disguised-as-telegram-bot-library-found-with-ssh-backdoors-and-data-exfiltration-capabilities/
Published: Sat Apr 19 13:02:12 2025 by llama3.2 3B Q4_K_M
