A Fake Telegram API Plants an SSH Backdoor Into Your System
Security researchers at Socket have uncovered a new supply chain attack involving fake npm libraries masquerading as the popular Telegram Bot API. These malicious packages quietly install SSH backdoors and modules for data exfiltration.
Telegram has become a lucrative target for cybercriminals: in 2025, its monthly user base surpassed 1 billion, including over 12 million paid subscribers. While the service offers an open API for bot development, it lacks a formal code review process prior to publication — unlike platforms such as the App Store or Google Play. This makes it fertile ground not only for hobbyists, but also for malicious actors.
Socket flagged three npm libraries — node-telegram-utils, node-telegram-bots-api, and node-telegram-util. Each imitates the legitimate node-telegram-bot-api, which has millions of downloads. The fake packages duplicate the original’s README and use a tactic called starjacking, spoofing GitHub links to show the popularity metrics of the real repository. This creates a convincing illusion of authenticity and lowers developers’ guard.
While total downloads of these malicious packages were relatively low (around 300), the consequences of a single installation can be severe. When executed, the code checks whether the system is running Linux. If so, it silently calls the hidden addBotId() function, which injects two attacker-controlled SSH keys into the ~/.ssh/authorized_keys file — granting persistent, passwordless access to the machine. Even uninstalling the package does not remove the backdoor, leaving the attacker with ongoing control.
In addition to the SSH backdoor, the malware also collects the username and external IP address, sending them to a remote server at solana.validator.blog to confirm a successful breach. This well-engineered attack stays stealthy by integrating into common software supply chains.
All malicious logic was hidden in just 40 lines of code within a package that looks indistinguishable from the real one. The process is silent and requires no user interaction — one execution is enough to compromise the system.
This incident highlights the critical vulnerabilities in modern software development pipelines caused by overreliance on third-party packages. Many companies blindly trust external dependencies, unaware that each npm install could hand control of their servers to outsiders.
To mitigate such threats, experts recommend using automated dependency analysis and monitoring tools — both at download time and during integration into the codebase. Avoiding manual installation of random packages and implementing layered defenses throughout the development and build process are key to closing the primary attack vector: trust in third-party libraries. Given the increasing sophistication of these attacks, such measures are no longer optional — they are essential.
