npm

ams-ssk

Server-side runtime for the shetty123 Telegram-hijack operation, marketed as a NestJS file-management library. Defines the same folders/:folder/files/download-all API surface that common-tg-service consumes from cms.paidgirl.site. No direct local-execution payload against the installer; campaign-associated operator infrastructure published on npm under the same publisher.

discovered 2026-05-03

Threat types

c2_agent

Malicious versions

1.0.33 · 80da04770a779330…
1.0.0

Campaigns

shetty123 Telegram Hijackattributed-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1539 Steal Web Session Cookieuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses

Read the full analysis →