Search results for npm node-telegram-bot-api | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities. The packages in question are listed below - node-telegram-utils (132 downloads) node-telegram-bots-api (82 downloads) node-telegram-util (73 downloads) According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api , a popular Node.js Telegram Bot API with over 100,000 weekly downloads. The three libraries are still available for download. "While that number may sound modest, it only takes a single compromised environment to pave the way for wide-scale infiltration or unauthorized data access," security researcher Kush Pandya said . "Supply chain security incidents repeatedly show that even a handful of installs can have catastrophic repercussions, especially when attackers gain direct access to developer systems or produc...