{"campaign":{"name":"shetty123 Telegram Hijack","slug":"shetty123-telegram-hijack","href":"/ti/campaigns/shetty123-telegram-hijack","description":"A Telegram account-takeover operation by npm publisher shetty123 (shettysaikumar3@gmail.com). Pairs a malicious client (common-tg-service) with the operator's server-side runtime (ams-ssk) deployed at cms.paidgirl.site. Targets Indian Telegram accounts for downstream UPI payments fraud.","objective":"Hijack Telegram accounts at scale via 2FA implantation, IMAP-based confirmation-code harvesting, and forced session eviction; harvest OTP login codes for on-demand account access.","aliases":["paidgirl.site"],"discovered_at":"2026-05-03"},"packages":[{"ecosystem":"npm","name":"common-tg-service","href":"/ti/packages/npm/common-tg-service","threat_types":["credential_stealer","data_exfiltration","c2_agent"],"versions":["1.3.207","1.0.1"]},{"ecosystem":"npm","name":"ams-ssk","href":"/ti/packages/npm/ams-ssk","threat_types":["c2_agent"],"versions":["1.0.33","1.0.0"]}],"indicators":[{"kind":"domain","value":"cms.paidgirl.site","href":"/ti/ioc/domain/cms.paidgirl.site","context":"ams-ssk deployment serving folders/:folder/files/download-all consumed by common-tg-service"},{"kind":"domain","value":"helper-thge.onrender.com","href":"/ti/ioc/domain/helper-thge.onrender.com","context":"Attribution-laundering HTTP relay; used by common-tg-service on 403/495 responses"},{"kind":"email","value":"storeslaksmi@gmail.com","href":"/ti/ioc/email/storeslaksmi@gmail.com","context":"Hardcoded 2FA recovery email implanted on every hijacked Telegram account"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Steal Web Session Cookie","mitre_attack_id":"T1539","href":"/ti/ttps/T1539"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Web Service","mitre_attack_id":"T1102","href":"/ti/ttps/T1102"},{"name":"Modify Authentication Process: implant 2FA on victim Telegram account","mitre_attack_id":"T1556","href":"/ti/ttps/T1556"},{"name":"Account Manipulation","mitre_attack_id":"T1098","href":"/ti/ttps/T1098"},{"name":"OTP harvesting via Telegram chat 777000","href":"/ti/ttps/otp-harvesting-via-telegram-chat-777000"}],"related_campaigns":[],"reports":[{"title":"common-tg-service: 502 npm Versions Hijack Telegram","url":"https://safedep.io/malicious-common-tg-service-npm-telegram-hijacking-framework","published_at":"2026-05-01"}]}