Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems

Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities.
According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api, a popular Node.js Telegram Bot API with over 100,000 weekly downloads. The three libraries are still available for download.

"While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access," security researcher Kush Pandya said.

"Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or production servers."

The rogue packages not only replicate the description of the legitimate library, but also leverage a technique called starjacking in a bid to elevate the authenticity and trick unsuspecting developers into downloading them.

Starjacking refers to an approach where an open-source package is made to be more popular than it is by linking the GitHub repository associated with the legitimate library. This typically takes advantage of the non-existing validation of the relation between the package and the GitHub repository.