shetty123 Telegram Hijack

A Telegram account-takeover operation by npm publisher shetty123 ([email protected]). Pairs a malicious client (common-tg-service) with the operator's server-side runtime (ams-ssk) deployed at cms.paidgirl.site. Targets Indian Telegram accounts for downstream UPI payments fraud.

discovered 2026-05-03

↓ JSON ↓ CSV

Objective

Hijack Telegram accounts at scale via 2FA implantation, IMAP-based confirmation-code harvesting, and forced session eviction; harvest OTP login codes for on-demand account access.

Packages

npmcommon-tg-serviceattributed-to
npmams-sskattributed-to

Indicators

domaincms.paidgirl.sitecommunicates-with
domainhelper-thge.onrender.comcommunicates-with
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1539 Steal Web Session Cookieuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses
ttpT1556 Modify Authentication Process: implant 2FA on victim Telegram accountuses
ttpT1098 Account Manipulationuses
ttpOTP harvesting via Telegram chat 777000uses

Read the full analysis →