malware npm

ams-ssk

discovered 2026-05-03

Server-side runtime for the shetty123 Telegram-hijack operation, marketed as a NestJS file-management library. Defines the same folders/:folder/files/download-all API surface that common-tg-service consumes from cms.paidgirl.site. No direct local-execution payload against the installer; campaign-associated operator infrastructure published on npm under the same publisher.

more…

Threat types

c2_agent

Malicious versions

1.0.33 · 80da04770a779330…
1.0.0

Campaigns

shetty123 Telegram Hijackattributed-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1539 Steal Web Session Cookieuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses

Read the full analysis →