Malicious PyPI Packages Let Hackers Control Telegram Bot Servers
Operation Navy Ghost is targeting Python developers who build Telegram bots by hiding backdoors inside trojanized Pyrogram forks uploaded to PyPI.
The campaign has been active since November 2025, according to Checkmarx researchers, who named the activity Operation Navy Ghost. The attackers published malicious packages that copy the original Pyrogram project while quietly adding code that lets them read files and run commands on compromised systems.
Attackers Used Pyrogram’s Popularity Against Telegram Bot Developers
Pyrogram is a Python framework used to build Telegram bots and userbots. Although the original project no longer receives maintenance, many developers still rely on it for production Telegram automation.
That made it a useful target for threat actors. Developers searching for Pyrogram alternatives or modified forks could install a malicious package that appeared legitimate at first glance.
Checkmarx found that the attackers uploaded at least eight malicious packages to PyPI between November 2025 and June 2026. The package names include VLifeGram, VLife-Gram, pyrogram-navy, pyrogram-styled, pyrogram-zeeb, kelragram, sepgram, and pyrogram-kelra.
Some of these packages attracted thousands of downloads. The most downloaded package, pyrogram-styled, reportedly passed 15,000 downloads.
Malicious Packages Included a Hidden Backdoor
The attackers copied the original Pyrogram source code into the malicious packages to make them look functional and familiar. This helped reduce suspicion because developers could still use the package for Telegram bot development.
However, the attackers added a hidden backdoor file named secret.py inside the helpers module. The backdoor activates when a developer imports Pyrogram or when the infected Telegram bot starts running.
Once active, the malware registers hidden Telegram command handlers. These handlers let the attackers control the compromised bot through Telegram commands.
What Attackers Could Steal From Infected Servers
The backdoor runs with the same permissions as the infected Telegram bot. That means the attackers can access anything the bot process or its server account can access.
Potentially exposed data includes environment variables, Telegram session files, chats, contacts, credentials, local files, databases, and cloud API keys. If developers stored tokens or secrets on the server, the attackers may have been able to retrieve them.
Malware Focused on Production Bot Accounts
Checkmarx said the backdoor activates only on Telegram bot accounts. That detail suggests the attackers wanted access to real bot deployments rather than casual local testing environments.
The malware also tries to stay quiet. It suppresses errors and disables logging, making it harder for developers to notice suspicious behavior during normal use.
The goal appears to be long-term access to sensitive infrastructure. Attackers could use infected bots as a path into production systems, steal secrets, or run additional commands after the initial compromise.
Hardcoded Telegram IDs Controlled the Backdoor
The malware includes a hardcoded OWNERS list containing Telegram IDs controlled by the attackers. These IDs give the threat actor exclusive access to the hidden command handlers.
The same list also helps prevent the backdoor from activating on the attackers’ own systems. Checkmarx linked the packages to one threat actor because they shared code, command names, infrastructure, and the same ownership list.
This overlap suggests the campaign came from a coordinated source rather than unrelated package uploads.
Developers Should Remove Packages and Rotate Secrets
Developers who installed any of the affected packages should remove them immediately. They should also treat affected systems as compromised.
The recommended response includes revoking and regenerating Telegram bot tokens, rotating credentials, checking environment variables, reviewing cloud API keys, and inspecting local files or databases that the bot could access.
Developers should also check their dependency lists for the malicious package names and review server logs where available. Since the malware disables logging and suppresses errors, a clean log file should not be treated as proof that no compromise occurred.
Checkmarx has published indicators of compromise, including malicious Telegram IDs and attacker profile URLs.
In other security news, GitHub repositories can reportedly trick Claude Code into running malware. CISA also says the BlueHammer flaw is being used in ransomware attacks.
Via BleepingComputer
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages