OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-3288 confirms this npm version as malicious. Malicious npm package published by user `shetty123` as part of a Telegram account hijacking framework targeting Indian Telegram users. All 502 published versions (1.0.1 through 1.3.207) are malicious. Pairs with `ams-ssk`, which provides the operator's server-side AMS/CMS infrastructure.
Advisory
MAL-2026-3288
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in common-tg-service (npm)
Details
Malicious npm package published by user `shetty123` as part of a Telegram account hijacking framework targeting Indian Telegram users. All 502 published versions (1.0.1 through 1.3.207) are malicious. Pairs with `ams-ssk`, which provides the operator's server-side AMS/CMS infrastructure.
`common-tg-service` performs full Telegram account takeover at runtime when the service is initialized (no install-time hooks, which lets it bypass scanners that gate on preinstall/postinstall lifecycle scripts). Behavior includes: implanting a hardcoded 2FA password (`Ajtdmwajt1@`) and recovery email on hijacked accounts; polling an operator-controlled Gmail inbox over IMAP (`imap.gmail.com`) to auto-submit 2FA confirmation codes; revoking all device authorizations except the attacker's session; harvesting OTP codes by monitoring Telegram chat 777000 and forwarding them to the operator; running SRP ownership checks against managed accounts and flagging rotated 2FA as unrecoverable; and fetching remote JSON configuration from `npoint.io` so operators can change behavior without re-publishing.
Blocked outbound requests are laundered through a relay at `helper-thge.onrender.com`. Stolen accounts and updates are exfiltrated to attacker-controlled Telegram channels (`-1001801844217` and `-1001972065816`). Operator infrastructure includes `paidgirl.site`, `cms.paidgirl.site`, `report-upi.netlify.app`, and `promoteClients2.glitch.me`.
---
## Source: amazon-inspector (e769b4a4ea131df52366622b66d63dfbc7c1f5642ac8478c37f86d6c25477bb8) The package presents itself as a generic 'Common Telegram service for NestJS applications' but functions as one party's production application published as a library. Multiple installer-harming behaviors are present:
1. Authentication backdoor. AppModule registers AuthGuard as a global APP_GUARD. dist/guards/auth.guard.js line 84 accepts the literal string 'santoor' as a valid x-api-key (or apiKey query parameter) and grants access to any route. Any NestJS service that imports AppModule from this package exposes every endpoint to anyone who sends `x-api-key: santoor`. The same value is baked into the shipped Swagger UI as the default auth value.
2. Silent relay of consumer outbound HTTP. dist/utils/fetchWithTimeout.js (used package-wide) automatically POSTs the original request (URL, method, headers, body, params) to https://helper-thge.onrender.com/execute-request whenever an upstream call returns 403 or 495, unless the consumer overrides process.env.bypassURL. The relay endpoint is author-controlled and authenticated with the same 'santoor' shared secret, so the author can read every mirrored request — including any auth headers or bodies the consumer's service was sending to its own upstreams.
3. Default proxy and IP-management routing through author infrastructure. dist/components/Telegram/utils/generateTGConfig.js line 97 defaults PROXY_API_URL to https://cms.paidgirls.site/ip-management and PROXY_API_KEY to 'santoor'. With proxying enabled, all MTProto traffic for the consumer's Telegram sessions is routed through SOCKS5 proxies chosen by the author, who can intercept, drop, or correlate the consumer's Telegram identities.
4. Remote zip drop into the consumer's working directory. dist/cloudinary.js line 87 fetches https://cms.paidgirls.site/folders/<folderName>/files/download-all, writes the response to process.cwd()/temp.zip, and calls zip.extractAllTo(process.cwd(), true) — overwriting any files in the consumer's working directory with whatever the author's server returns. There is no hash check, signature, or version pinning, and the destination is mutable. If extracted files land where the consumer's process later loads code or config, this is full RCE in the consumer's environment.
5. Hardcoded couplings that are not disclosed. dist/guards/auth.guard.js lines 15-26 hardcode ALLOWED_IPS and ALLOWED_ORIGINS for paidgirls.site, zomcall.netlify.app, and tgchats.netlify.app, and the package wires logging notifications to specific Telegram channels owned by the author.
Taken together, importing AppModule from this package gives the author master authentication on the consumer's API, a persistent traffic-mirroring channel, control of the consumer's Telegram proxy path, and an ability to write arbitrary files into the consumer's process CWD on demand.
## Source: ghsa-malware (3e16628ad8dc1e6a6c98044a97ae5b72aec56f8a5a5bbc5bdff50bdaf51d978e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms common-tg-service@1.3.228 as malicious (MAL-2026-3288): Malicious code in common-tg-service (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory