A recent campaign targeting the open-source Node.js community has exposed Linux developers to significant risk through malicious npm packages designed to deploy persistent SSH backdoors.
Security analysts have identified a cluster of typosquatted libraries including node-telegram-utils, node-telegram-bots-api, and node-telegram-util which have impersonated the widely trusted node-telegram-bot-api package, a foundational tool for Telegram bot development with over 4.2 million downloads.
Attackers Target Telegram Developer Ecosystem with Typosquatted Packages
These malicious packages, first detected in early 2025, mimic the legitimate library by duplicating its README documentation and linking to the authentic GitHub repository to create a misleading sense of trust.
By hijacking the legitimate project’s star count and appearance, threat actors successfully deceived unsuspecting developers into integrating backdoored tools into their projects.
Although the total number of downloads approximately 300 instances across all malicious packages may appear modest, history demonstrates that even a single compromise can provide attackers with a strategic foothold in sensitive production environments.
The core of these attacks is a hidden function automatically executed on Linux systems.
Upon instantiation, the malicious code checks the system’s operating platform and, if Linux is detected, appends two attacker-controlled SSH keys into the ~/.ssh/authorized_keys file.
According to the Report, this enables passwordless, persistent remote access, allowing attackers to maintain control even if one key is discovered and removed.
The malware also collects basic host telemetry, including the external IP address and username, and exfiltrates this data to a remote command-and-control server hosted at solana.validator.blog, confirming successful compromise.
Persistent SSH Access Granted on Compromised Linux Hosts
What makes these attacks especially insidious is their seamless integration into otherwise familiar codebases.
The malicious amendments are buried within what appears to be routine Telegram bot logic, making detection difficult for developers reviewing package dependencies.
Removing the compromised npm package does not automatically revoke the injected SSH keys, leaving systems exposed to continued unauthorized access and abuse.
The impact of these supply chain attacks is multi-faceted. Attackers gain durable, privileged entry into developer environments and production servers, enabling further lateral movement, data exfiltration, and potentially arbitrary code execution.
Given the interconnectedness of modern software workflows and the sensitive credentials available on developer machines, such compromise can quickly escalate to broader data breaches and systemic infiltration.
This campaign highlights the ongoing challenges of securing decentralized software supply chains especially within the npm ecosystem, where package creation and publication remain largely unvetted and open to anyone.
Telegram, in particular, is a high-profile target owing to its popularity (over 1 billion monthly users) and the lack of a centralized or curated app store for bots and integrations.
The platform’s bot-friendly API, while fostering innovation, simultaneously enables attackers to introduce malicious dependencies with relative ease.
To mitigate these evolving threats, security experts recommend rigorous dependency auditing and the adoption of automated scanning tools.
Solutions such as Socket’s GitHub app and CLI tool can provide real-time monitoring and preemptive detection of suspicious dependencies before they are merged into codebases or deployed to production.
Layering these tools with browser-based protections further shields developers from inadvertently downloading or interacting with malicious content.
This incident underscores the imperative for organizations and developers alike to secure their open-source workflows, maintain vigilant monitoring of all third-party packages, and swiftly respond to any anomalous behavior detected within their environments.
The risks posed by supply chain attacks remain acute, and the latest wave of sophisticated npm-based malware demonstrates a persistent threat to operational security, data privacy, and the integrity of open-source ecosystems.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
