CyberSecurityBoard
Sponsor Register Login

Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors

Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, node-telegram-bots-api, and node-telegram-util—appear virtually identical to the legitimate package, copying its documentation, functionality, and even linking back to the authentic GitHub repository with its 19,000+ stars to enhance credibility and deceive developers. Socket.dev researchers identified that these packages implement a sophisticated “starjacking” technique, where they link their homepage back to the legitimate GitHub repository to borrow trust from the original project’s reputation. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This deception makes the malicious packages particularly difficult to identify during casual inspection, as they display the same star count as the legitimate library. The code not only injects multiple SSH keys for redundant access but also exfiltrates the victim’s IP address and username to a command-and-control server at solana[.]validator[.]blog, allowing attackers to inventory compromised systems for further exploitation or data theft. Upon installation in a Linux environment, the malicious packages automatically execute a hidden function called addBotId() whenever the constructor is called. These typosquatted packages collectively accumulated approximately 300 downloads over several months, creating a significant security threat despite their relatively modest installation numbers. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This function performs a platform check and, if Linux is detected, proceeds with its malicious payload without requiring any user interaction. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. A concerning new supply chain attack has emerged targeting Linux developers who work with Telegram’s bot ecosystem. The attack specifically targets developer environments where npm packages are frequently installed during project setup or maintenance.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Apr 2025 20:30:07 +0000


Cyber News related to Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors

Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
7 months ago Cybersecuritynews.com
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com
New SSH-Snake Malware Abuses SSH Credentials - Threat actors abuse SSH credentials to gain unauthorized access to systems and networks. SSH credential abuse provides a stealthy entry point for threat actors to compromise and control the targeted systems. On January 4th, 2024, the Sysdig Threat ...
1 year ago Cybersecuritynews.com
5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
8 months ago Cybersecuritynews.com
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com
npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
4 months ago Bleepingcomputer.com
Malicious NPM packages fetch info-stealer for Windows, Linux, macOS - A recent cybersecurity investigation has uncovered malicious NPM packages that distribute an info-stealer malware targeting Windows, Linux, and macOS platforms. These packages, hosted on the popular Node Package Manager (NPM) repository, have been ...
1 month ago Bleepingcomputer.com
Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
8 months ago Cybersecuritynews.com Lazarus Group
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
1 year ago Cisa.gov
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
1 year ago Cisa.gov
Building For a More Secure Future: How Developers Can Prioritize Cybersecurity - At the time, he was breaking new ground, repeating those words to help convince his teams on how crucial developers were going to be to the success of their platform. While the focus may have been initially on enterprise B2B platforms with Microsoft, ...
1 year ago Cyberdefensemagazine.com
New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
8 months ago Bleepingcomputer.com
Malicious NPM Packages Exploit Ethereum Wallets to Steal Crypto Funds - In a recent cybersecurity alert, researchers have uncovered a series of malicious NPM packages designed to exploit vulnerabilities in Ethereum wallets, leading to significant crypto fund thefts. These packages, masquerading as legitimate ...
3 months ago Thehackernews.com
Hackers breach Toptal GitHub account, publish malicious npm packages - In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security ...
4 months ago Bleepingcomputer.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com
New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
8 months ago Cybersecuritynews.com
175 Malicious NPM Packages With 26,000 Downloads Found in the Wild - A recent cybersecurity investigation uncovered 175 malicious NPM packages that have been downloaded over 26,000 times, posing significant risks to developers and organizations relying on these packages. These malicious packages were designed to steal ...
1 month ago Cybersecuritynews.com
Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
7 months ago Cybersecuritynews.com
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com
North Korean Lazarus hackers infect hundreds via npm packages - The packages contain malicious code designed to steal sensitive information, such as cryptocurrency wallets and browser data that contains stored passwords, cookies, and browsing history. The packages, which have been downloaded 330 times, are ...
8 months ago Bleepingcomputer.com
PhantomRaven Attack Involves 126 Malicious NPM Packages - The PhantomRaven cyberattack has been uncovered involving a staggering 126 malicious NPM packages, posing a significant threat to the software development community. These packages were designed to infiltrate systems by exploiting the widely used ...
1 month ago Cybersecuritynews.com PhantomRaven
NPM Packages Hijacked to Spread Malware: What You Need to Know - The recent hijacking of popular NPM packages has raised significant concerns in the cybersecurity community. Attackers have exploited vulnerabilities in widely used JavaScript libraries to distribute malware, putting countless developers and ...
2 months ago Cybersecuritynews.com
Malicious NPM Packages Impersonate Popular Libraries to Steal Credentials, Cryptocurrency - In a recent cybersecurity alert, researchers have uncovered a wave of malicious NPM packages designed to impersonate popular JavaScript libraries. These packages are crafted to deceive developers by mimicking legitimate libraries, but their true ...
2 months ago Thehackernews.com
Arch Linux pulls AUR packages that installed Chaos RAT malware - Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The AUR is a repository where Arch Linux users can publish package build scripts ...
4 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)