Malicious Telegram API Clone Installs SSH Backdoor via npm
Security experts at Socket have discovered a new software supply chain attack involving fake npm libraries disguised as the popular Telegram Bot API. These malicious packages secretly install SSH backdoors and data-stealing modules on affected systems.
Telegram as a Target for Attackers
In 2025, Telegram’s monthly user base surpassed one billion, including over 12 million paid subscribers, making it an attractive target for cybercriminals. Telegram offers developers an open API for creating bots, but unlike platforms like the App Store or Google Play, it does not have a formal code review process before publication. This environment is appealing not only to enthusiasts but also to malicious actors.
How the Attack Works
Socket identified three npm libraries—node-telegram-utils, node-telegram-bots-api, and node-telegram-util—each imitating the legitimate node-telegram-bot-api package, which has millions of downloads. The descriptions of these fake packages are copied directly from the original README, and the GitHub links are manipulated to display the real repository’s rating, a technique known as starjacking. This creates an illusion of authenticity and lowers developers’ guard.
Although the total number of downloads for these malicious packages is around 300, a single installation can have critical consequences. When the library runs, it checks if the system is running Linux. If so, it automatically executes a hidden function called addBotId(), which inserts two attacker-controlled SSH keys into the ~/.ssh/authorized_keys file. This grants persistent, passwordless access to the system. Even if the package is removed, the vulnerability remains, as the keys are not deleted, allowing the attacker to maintain access.
Additional Data Theft
Beyond SSH access, the malicious code also collects the username and external IP address of the infected system, sending this information to a remote server at solana.validator.blog to confirm successful compromise. The entire malicious logic is contained in just 40 lines of code, hidden within a library that appears identical to the original. The attack is silent and requires no user interaction—one execution is enough to compromise the system.
Implications for Software Development
This attack highlights the vulnerability of modern software development to dependency-based threats. Companies often blindly trust external packages, unaware that each npm installation could hand over control of their servers to outsiders. Vigilance and thorough vetting of dependencies are essential to prevent such supply chain attacks.