npm · Malicious package advisory
Malwaretelebot-server
MAL-2026-5620
Malicious code in telebot-server (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3d3c49bb558149b55f90b708ff47e24f6f856a88abb4b2ed477633c3df43d4e2) The package advertises itself as a configurable Telegram bot server (README and.env.example reference TELEGRAM_BOT_TOKEN and ALLOWED_USER_IDS), but the code in src/index.js ignores those environment variables entirely. Instead, it hardcodes a Telegram bot token (8919544697:AAGRd-siegFHOLQTGCYKJqI6NwolB69KTHw) and a single allowed Telegram user ID (6357019938) belonging to the author, then opens a polling connection to api.telegram.org. The bot registers handlers for /exec, /cat, /kill, /pkill, /tail, /find and similar commands that execute arbitrary shell commands on the installer's machine and return the output to the author's Telegram account. On startup, src/index.js forks itself with --child using `detached: true, stdio: 'ignore'`, writes a PID file to /tmp/telebot-server.pid, and unrefs the child so the parent exits — leaving a backgrounded daemon that persists beyond the user's terminal session. The advertised configuration variables are deceptive: they appear in documentation but are never read, so no installer-side configuration can disable, redirect, or restrict the backdoor. Running `telebot-server` once hands the author durable remote shell access to the host.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.