CyberSecurity news
FlagThis
@Talkback Resources
//
Cybersecurity researchers have recently discovered a series of malicious packages lurking within the npm registry, a popular repository for JavaScript packages. These packages are designed to mimic the legitimate "node-telegram-bot-api," a widely-used library for creating Telegram bots. However, instead of providing bot functionalities, these rogue packages install SSH backdoors on Linux systems, granting attackers persistent, passwordless remote access. The identified malicious packages include "node-telegram-utils," "node-telegram-bots-api," and "node-telegram-util," which have accumulated around 300 downloads collectively.
The packages employ a technique known as "typosquatting," where they use names similar to the legitimate library to deceive developers into installing them. They also utilize "starjacking" by linking to the genuine library's GitHub repository, further enhancing their appearance of authenticity. Once installed on a Linux system, these malicious packages inject SSH keys into the "~/.ssh/authorized_keys" file, enabling attackers to remotely access the compromised machine. They also collect system information, including the username and external IP address, and transmit it to a remote server controlled by the attackers.
Security experts warn that simply removing the malicious packages is insufficient to eliminate the threat. The injected SSH keys provide a persistent backdoor, allowing attackers to execute code and exfiltrate data even after the packages are uninstalled. This incident highlights the growing threat of supply chain attacks targeting development ecosystems like npm, underscoring the importance of rigorous dependency auditing and vigilant monitoring to safeguard systems from malicious code and unauthorized access. The researchers at Socket recommend immediate defensive actions to combat these types of threats.
ImgSrc: s3.talkback.sh
References :
The packages employ a technique known as "typosquatting," where they use names similar to the legitimate library to deceive developers into installing them. They also utilize "starjacking" by linking to the genuine library's GitHub repository, further enhancing their appearance of authenticity. Once installed on a Linux system, these malicious packages inject SSH keys into the "~/.ssh/authorized_keys" file, enabling attackers to remotely access the compromised machine. They also collect system information, including the username and external IP address, and transmit it to a remote server controlled by the attackers.
Security experts warn that simply removing the malicious packages is insufficient to eliminate the threat. The injected SSH keys provide a persistent backdoor, allowing attackers to execute code and exfiltrate data even after the packages are uninstalled. This incident highlights the growing threat of supply chain attacks targeting development ecosystems like npm, underscoring the importance of rigorous dependency auditing and vigilant monitoring to safeguard systems from malicious code and unauthorized access. The researchers at Socket recommend immediate defensive actions to combat these types of threats.
ImgSrc: s3.talkback.sh
Share:
References :
- ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
- Talkback Resources: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
- The Hacker News: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
- Talkback Resources: Talkback.sh discusses Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems [app] [net] [mal]
- ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems – Source:thehackernews.com
- linuxsecurity.com: We Linux security administrators face a growing challenge with sophisticated supply chain attacks targeting popular development ecosystems, such as npm.
- securityonline.info: Malicious npm Packages Backdoor Telegram Bot Developers
Classification:
- HashTags: #SupplyChainAttack #npm #SSHBackdoor
- Company: npm
- Target: Telegram Bot Developers
- Product: npm
- Feature: Typosquatting
- Malware: node-telegram-utils
- Type: Malware
- Severity: Major