VYPR

npm · Malicious package advisory

Malware

telebot-server

MAL-2026-5620

Malicious code in telebot-server (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3d3c49bb558149b55f90b708ff47e24f6f856a88abb4b2ed477633c3df43d4e2)
The package advertises itself as a configurable Telegram bot server (README and.env.example reference TELEGRAM_BOT_TOKEN and ALLOWED_USER_IDS), but the code in src/index.js ignores those environment variables entirely. Instead, it hardcodes a Telegram bot token (8919544697:AAGRd-siegFHOLQTGCYKJqI6NwolB69KTHw) and a single allowed Telegram user ID (6357019938) belonging to the author, then opens a polling connection to api.telegram.org. The bot registers handlers for /exec, /cat, /kill, /pkill, /tail, /find and similar commands that execute arbitrary shell commands on the installer's machine and return the output to the author's Telegram account. On startup, src/index.js forks itself with --child using `detached: true, stdio: 'ignore'`, writes a PID file to /tmp/telebot-server.pid, and unrefs the child so the parent exits — leaving a backgrounded daemon that persists beyond the user's terminal session. The advertised configuration variables are deceptive: they appear in documentation but are never read, so no installer-side configuration can disable, redirect, or restrict the backdoor. Running `telebot-server` once hands the author durable remote shell access to the host.

Compromised versions (1)

  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.