How a Malicious npm Package Can Backdoor Your Linux System via SSH

By /

Listen to this Post

A recent cybersecurity analysis reveals how attackers are exploiting npm packages to infiltrate Linux systems. The malicious package `node-telegram-utils` mimics the legitimate `node-telegram-bot-api` but contains a hidden SSH backdoor.

How the Attack Works:

  1. Deceptive Packaging – The malicious package uses starjacking (copying descriptions, GitHub icons, and names) to appear legitimate.
  2. SSH Backdoor Injection – During installation, it modifies ~/.ssh/authorized_keys, allowing attackers persistent SSH access.
  3. C2 Communication – The malware sends system details (IP, username) to a remote server and checks `solana.validator[.]blog` for validation.
  4. Delayed Execution – Some packages (like @naderabdi/merchant-advcash) only trigger after specific events (e.g., a transaction) to evade detection.

You Should Know:

Detecting & Removing the Backdoor

1. Check SSH Keys:

cat ~/.ssh/authorized_keys

Look for unfamiliar keys.

2. Remove Suspicious Keys:

nano ~/.ssh/authorized_keys  Delete malicious entries 
chmod 600 ~/.ssh/authorized_keys

3. Audit npm Packages:

npm ls  List installed packages 
npm audit  Check for vulnerabilities

4. Monitor Network Connections:

netstat -tulnp  Check active connections 
lsof -i  List open internet connections

5. Revoke SSH Access:

sudo systemctl restart sshd  Restart SSH service 
sudo journalctl -u sshd -f  Monitor SSH logs

6. Scan for Malware:

sudo rkhunter --check  Rootkit detection 
sudo chkrootkit  Check for backdoors

Preventive Measures

  • Use `package-lock.json` to enforce version integrity: 
    npm ci  Clean install from lockfile
  • Verify package signatures: 
    npm install --ignore-scripts  Disable post-install scripts
  • Enable 2FA for SSH: 
    sudo nano /etc/ssh/sshd_config  Set "AuthenticationMethods publickey,keyboard-interactive"

What Undercode Say

Supply-chain attacks are escalating, and npm remains a prime target. Attackers exploit trust in open-source ecosystems, making vigilance critical. Always:
– Manually inspect dependencies.
– Use tools like `npm audit` and yarn why.
– Monitor `authorized_keys` and network traffic.
– Assume every install could be malicious.

Expected Output:

A secure system with no unauthorized SSH keys, verified npm packages, and active monitoring for suspicious network activity.

Relevant URL: LinkedIn Post (for further reading).

References:

Reported By: Naim Aouaichia – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: