Cybersecurity researchers have discovered three malicious npm packages-node-telegram-utils, node-telegram-bots-api, and node-telegram-util - that masquerade as a popular Telegram bot library but contain SSH backdoors and data exfiltration capabilities. The packages use "starjacking" to appear more popular than they are by linking to the GitHub repository of the legitimate library. Once installed, the packages add SSH keys to the system, granting the attackers persistent remote access. The packages also collect system information like username and IP address, and beacon out to external servers to confirm the infection. Removing the packages does not eliminate the threat, as the inserted SSH keys remain. This disclosure comes alongside another malicious npm package, @naderabdi/merchant-advcash, which is designed to launch a reverse shell to a remote server while disguising it as a payment integration utility…

🚨 Malware Alert for Developers! 3 npm packages are mimicking a popular Telegram bot library—but secretly install SSH backdoors & exfiltrate your data. They replicate the look of node-telegram-bot-api (100K weekly users), use starjacking to fake credibility, and target Linux systems. Removal ≠ protection—SSH keys stay behind. Learn more: thehackernews.com/2025/04/ro…

From hijacked packages to typosquatting and starjacking, threats to the open source software supply chain are on the rise. @stacklokhq thenewstack.io/how-supply-ch…

Roblox developers targeted by malicious npm packages mimicking popular libraries. Attackers employed techniques like brandjacking and starjacking to make the packages seem legitimate, leading to significant security breaches. thehackernews.com/2024/09/ma… #CyberSecurity

Roblox developers targeted by malicious npm packages mimicking popular libraries. Attackers employed techniques like brandjacking and starjacking to make the packages seem legitimate, leading to significant security breaches. Read: thehackernews.com/2024/09/ma… #CyberSecurity

Earlier this week, we discovered that the Roblox Node.js library was hit by the "Destroy Loneliness" npm starjacking attack, deploying QuasarRAT. Execution of this virus would have allowed the attacker to establish command and control over affected Windows endpoints. We've notified @github and this package has now been removed from npm. Read @0xpoppaea's analysis of this attack here: stacklok.com/blog/destroylon… #cybersecurity #ThreatIntel #malware

This harmful package employs "combosquatting" (a variant of typosquatting) and starjacking (linking to the genuine Noblox.js GitHub repo) to appear trustworthy. It's a sneaky way to gain credibility and spread the attack.

GitHub の「StarJacking」 スター数などを偽装、正規の判断がより困難に ・パッケージレジストリ側で GitHub のリポジトリの所有権検証を行っていない為、紐付けて公開できてしまうことによって発生 yamory.io/blog/about-malicio… 単純に、星が少ないから、こっち偽物！とならないことも、あるらしい

#WASP #malware stings #Python developers theregister.com/2022/11/16/w… Info-stealing #trojan hides in malicious #PyPI packages on #GitHub. #CyberSecurity #InfoSec #CyberAttack #CyberCrime #InfoStealer #Starjacking

What’s new in CAPEC 3.8 for #SupplyChainSecurity? * 5 new #AttackPatterns: 3 related to #Spoofing 1 each for #StarJacking & #RepoJacking * 1 new dedicated “Supply Chain Risks” view for the #CISA Supply Chain Lifecycle 6 new categories supporting it bit.ly/3Cwf81r

“StarJacking” “In this attack, the original ‘requests’ GitHub repository was named as the repository of the malicious packages, making them look highly popular and reliable.”

Im Beitrag erläutert @Checkmarx, wie Angreifer mithilfe von #StarJacking die #github Sterne-Ratings von #opensource -Paketen manipulieren, um Entwickler zum #Download zu verleiten und #Schadcode in die #SoftwareSupplyChain einzuschleusen. it-daily.net/it-sicherheit/c… #CyberAttack

"StarJacking - a way to make an open source package instantly look popular by abusing the lack of validation between the package to its GitHub repository" checkmarx.com/blog/starjacki… As the article states, this plus typosquatting is a powerful combination #security

"Die Entwickler dazu bringen wollen, ihr Paket zu downloaden, müssen also nur ein GitHub Repository mit den gewünschten Statistiken auswählen und dessen URL in das URL-Feld ihres setup.py/setup.cfg-Files kopieren." @ZackZoren @Checkmarx #StarJacking cutt.ly/0GLITER

Im Beitrag erläutert @Checkmarx, wie Angreifer mithilfe von #StarJacking die #github Sterne-Ratings von #opensource -Paketen manipulieren, um Entwickler zum #Download zu verleiten und #Schadcode in die #SoftwareSupplyChain einzuschleusen. it-daily.net/it-sicherheit/c… #CyberAttack

Just because a code package is "popular," that doesn't mean it's credible. Learn about #StarJacking in this @CRN article and #CheckmarxSecurity: bit.ly/3s0S7Ox

The latest sneak attack on the trust in the #opensource security world is #StarJacking - a technique for making a package look more popular than it is. Read the latest discovery by @ZackZoren @jossefharush & Aviad Gershon here cutt.ly/HF3YKtQ #AppSec #Opensourcesecurity

Epic starjacking on the Hollywood #WalkOfFame. #RIP #Prince #streetart

Thought I was a genius for "coming up" w/ "starjacking" (leaving @starbucks w/someone else's drink) but @urbandictionary put me in my place.