OX Security detected & reported a malicious npm package containing the threat actor’s hardcoded bot Telegram token. The npm package is an infostealer malware which exfiltrates data from the victim’s machine.

Breaking News: OX Security detected & reported the npm package cms-store-ren, a malicious JavaScript infostealer that exfiltrates data to Telegram, leaking its own bot API token.

Overview

cms-store-ren is a malicious npm package that collects data from developers’ machines and then sends them to a Telegram channel. It also downloads a potentially malicious JavaScript file from a remote server and tries to execute it, although this behavior wasn’t yet weaponized during our analysis.

OX Security observed that among the data that is being sent to the threat actor it includes:

OS type
CPU architecture
Hostname
Installation timestamp

Recommended Actions

If you installed the malicious package – follow these Immediate Actions:

Revoke your existing tokens and generate new ones
Rotate your credentials and assume they may have been exfiltrated

Technical Analysis

The package acts as a downloader/loader whose primary purpose is to fetch and execute a second-stage payload while reporting successful infections back to the malicious actor.

Upon execution, the package collects basic host information and sends it to an attacker-controlled Telegram channel:

The notification is delivered through the Telegram Bot API:

This allows the attacker to monitor new infections and gather basic victim telemetry.

While doing so, the threat actor leaked their own bot API key:

Another interesting part of the malware, is the ability to generate a PowerShell script in the system’s temporary directory and launches it in the background:

The use of -WindowStyle Hidden and -ExecutionPolicy Bypass helps conceal execution from the victim.

The malware also downloads and executes a remote JavaScript payload directly from an IP address:

The payload is fetched from a raw IP rather than a domain, a common tactic used to reduce infrastructure costs and simplify deployment.

Threat Actor Analysis

During our research, we found that the threat actor’s bot token was leaked through the actor’s npm package.

Using that token, we were able to gather intelligence about the actor and its accounts.

Name: Native American
Username: amaturesequoyah
Bot Name: HNT
Bot Username: ebalvsehvrot10raz_bot
Exfiltration Group ID: -1003760655724
Exfiltration Group Name: BREVNA LETYAT

The main user behind the account is from Russian origin, according the the language code used, ironically using the username “Native American”

The Telegram group where the data is being sent to is called “BREVNA LETYAT”, which roughly translates to is “Logs are flying”, probably a nickname for the Telegram group being dedicated to logging data.

The exfiltration group image is an actual log emoji

The npm package is currently still in npm in time of publishing this article – you can view it here.

Affected Packages

Package name

Affected versions

cms-store-ren

All

Conclusions

The cms-store-ren is another case of malware-slop being uploaded to npm, in our recent analysis we saw a threat actor leaking its own private GitHub API key, giving full access to anyone reading the malware’s code. Now we’re seeing a second instance of threat actors with lousy OPSEC, giving us direct access to their Telegram bot, and direct access to find the threat actor’s Telegram account.

This is another great example of how threat actors are mindlessly uploading AI-generated malicious code without understanding the consequences of their actions, and another example of a non-obfuscated malware that everyone with access to a decent AI or code scanning tool could detect and analyze – yet still npm refuses to implement such basic detection systems, thus endangering users using their ecosystem.

The post Malware-Slop 2: Malicious npm Package Leaks Its Own Bot’s Telegram Private Token appeared first on OX Security.