Malicious npm package published by user shetty123 as part of a Telegram account hijacking framework targeting Indian Telegram users. All 31 published versions (1.0.0 through 1.0.33) are malicious. Pairs with common-tg-service, which performs the client-side Telegram account takeover.
ams-ssk is the server-side AMS/CMS infrastructure for the operation. It exposes a file-management CRUD API including a bulk-zip download endpoint (folders/:folder/files/download-all) and a multi-bot Telegram message-forwarder with per-bot operation counters used to fan out hijacked-account traffic. Observed deployments include cms.paidgirl.site and promoteClients2.glitch.me. The package is part of an actor-controlled stack (operator identity shetty123 / display name Mad_man) used to manage stolen Telegram accounts and exfiltrate data to attacker-controlled Telegram channels (-1001801844217, -1001972065816).
Malice executes at runtime when the service is initialized; there are no preinstall/postinstall lifecycle scripts, so the package bypasses install-time scanners.
Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:HI:HA:H10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H