MAL-2026-3287

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ams-ssk/MAL-2026-3287.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3287

Published

2026-05-02T08:00:00Z

Modified

2026-05-12T07:55:40.242721Z

Summary

Malicious code in ams-ssk (npm)

Details

Malicious npm package published by user shetty123 as part of a Telegram account hijacking framework targeting Indian Telegram users. All 31 published versions (1.0.0 through 1.0.33) are malicious. Pairs with common-tg-service, which performs the client-side Telegram account takeover.

ams-ssk is the server-side AMS/CMS infrastructure for the operation. It exposes a file-management CRUD API including a bulk-zip download endpoint (folders/:folder/files/download-all) and a multi-bot Telegram message-forwarder with per-bot operation counters used to fan out hijacked-account traffic. Observed deployments include cms.paidgirl.site and promoteClients2.glitch.me. The package is part of an actor-controlled stack (operator identity shetty123 / display name Mad_man) used to manage stolen Telegram accounts and exfiltrate data to attacker-controlled Telegram channels (-1001801844217, -1001972065816).

Malice executes at runtime when the service is initialized; there are no preinstall/postinstall lifecycle scripts, so the package bypasses install-time scanners.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (89bf12be8e3ded6d209b121dd7538d92b8623e501512b2505ac402e76367ad3b)

The package ams-ssk was found to contain malicious code.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-12T07:28:50.572930817Z",
            "sha256": "89bf12be8e3ded6d209b121dd7538d92b8623e501512b2505ac402e76367ad3b",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T06:53:21Z"
        }
    ]
}

References

https://safedep.io/malicious-common-tg-service-npm-telegram-hijacking-framework/

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / ams-ssk

Package

Name: ams-ssk; View open source insights on deps.dev
Purl: pkg:npm/ams-ssk

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ams-ssk/MAL-2026-3287.json"