Cybersecurity researchers discovered three malicious packages in the npm registry that could severely impact any developer using them. These packages try to hide themselves under the guise of a well-known package, a popular Telegram bot library, the node-telegram-bot-api, that has over 100k weekly downloads. These malicious packages, which masqueraded with names like node-telegram-utils, node-telegram-bots-api, and node-telegram-util, included SSH backdoors as well as data exfiltration capabilities. Alarmingly, these dangerous packages are still widely available for download.
The finding was first reported by cybersecurity firm Socket, where researcher Kush Pandya led the initial probe. These rogue packages copy the node-telegram-bot-api library’s official description. Perhaps the most insidious part of this ruse is how easy they make it for unsuspecting developers to download them without realizing. This plan incorporates a technique known as starjacking. Its objective is to increase the reputational authenticity of the bad packages.
Details of the Malicious Packages
The three malicious packages exhibit varied download statistics: node-telegram-utils has been downloaded 132 times, node-telegram-bots-api has 82 downloads, and node-telegram-util has 73 downloads. To be clear, these tables don’t look like much on paper. Kush Pandya emphasizes that “while that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access.” This calls attention to the dire consequences of these types of security vulnerabilities within software development infrastructures.
Furthermore, another concerning package has come to light: @naderabdi/merchant-advcash. This package isn’t really about helping merchants accept crypto and fiat payments. It maliciously and secretly adds a reverse shell that opens a communication channel to an attacker-controlled remote server the moment certain functions are invoked. According to Socket, “the package @naderabdi/merchant-advcash contains hardcoded logic that opens a reverse shell to a remote server upon invocation of a payment success handler.” This creates an additional layer of risk for developers who might accidentally include packages like these in their projects.
The Implications of Supply Chain Vulnerabilities
The sheer volume of these malicious packages highlights the ongoing need for supply chain security throughout the software development ecosystem. As Kush Pandya points out, “supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers.” This highlights the importance of developers to be more vigilant when finding and using third party libraries in their applications.
Cybercriminals are leveraging tactics such as starjacking to further exploit trust within developer communities. This undercutting both makes it more difficult to detect malicious packages and points to a broader, deeply concerning movement within the cybersecurity ecosystem. As software developers continue to make greater use of open-source libraries, the integrity and authenticity of these rich resources is essential.
Recommendations for Developers
To prevent risks from these types of vulnerabilities, developers should follow security best practices when using dependencies. Always check the source and authenticity of packages before installing them. Follow alerts from trusted cybersecurity organizations about newly discovered threats. Consistent audits of current dependencies can help increase security efforts against possible attacks.