malware npm

common-tg-service

discovered 2026-05-03

Telegram account-takeover framework disguised as a NestJS Telegram service utility. All 502 published versions (1.0.1 through 1.3.207) are malicious. Sets a hardcoded 2FA password on managed accounts, polls operator IMAP for the confirmation code, evicts other authorized devices, and forwards OTP login codes from chat 777000 to operator-controlled Telegram bot channels. Pulls runtime config from npoint.io with committed plaintext credentials.

more…

Threat types

credential_stealer data_exfiltration c2_agent

Malicious versions

1.3.207 · 5061bc9611e31a48…
1.0.1

Campaigns

shetty123 Telegram Hijackattributed-to

Indicators

domain cms.paidgirl.sitecommunicates-with
domain helper-thge.onrender.comcommunicates-with
email storeslaksmi@gmail.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1539 Steal Web Session Cookieuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses
ttp T1556 Modify Authentication Process: implant 2FA on victim Telegram accountuses
ttp T1098 Account Manipulationuses
ttp OTP harvesting via Telegram chat 777000uses

Read the full analysis →