VYPR
researchPublished Jun 30, 2026· 1 source

Malicious PyPI Packages Target Telegram Bot Developers with File-Reading Backdoors

A persistent campaign has been distributing trojanized Python packages on PyPI, granting attackers the ability to read arbitrary files on compromised Telegram bot servers.

A sophisticated supply-chain attack campaign, active since November 2025, has been targeting Python developers building Telegram bots. Threat actors have published at least eight malicious packages on the Python Package Index (PyPI) that masquerade as forks of the popular, though unmaintained, Pyrogram library. These trojanized packages contain a hidden backdoor capable of exfiltrating sensitive data from infected servers.

The campaign, dubbed 'Operation Navy Ghost' by application security firm Checkmarx, has seen the threat actor upload various versions of these malicious packages between November 2025 and June 2026. The affected packages include VLifeGram, VLife-Gram, pyrogram-navy, pyrogram-styled, pyrogram-zeeb, kelragram, sepgram, and pyrogram-kelra. While these packages include the original Pyrogram source code, they also embed a malicious file named secret.py within the helpers module.

Upon the activation of an infected bot or when the Pyrogram library is imported, the backdoor registers hidden Telegram command handlers. This allows attackers to remotely execute arbitrary Python code or shell commands on the victim's server. Researchers demonstrated that commands like /asu print(os.environ) could reveal environment variables, while /asi cat /etc/passwd could execute system commands and exfiltrate sensitive files like /etc/passwd.

The stolen data, including command output, is transmitted back to the attackers via Telegram messages. For larger data transfers exceeding 4096 bytes, the information is sent as a document attachment. The backdoor is designed to operate stealthily, suppressing errors and disabling logging to avoid detection. A hardcoded list of Telegram IDs in the OWNERS list grants exclusive control to the threat actors and can also be used to deactivate the backdoor when run on the attacker's own systems.

Notably, the malware specifically targets Telegram bot accounts, which are often deployed in production environments. This indicates the attacker's intent to gain access to valuable assets such as databases, credentials, cloud APIs, and other sensitive infrastructure. The ability to read any file on the server, dump secrets, access Telegram chats, and potentially install persistent backdoors makes this a significant threat.

Despite the malicious packages being uploaded from different PyPI accounts, Checkmarx attributes the entire campaign to a single threat actor. This conclusion is based on the consistent use of the same backdoor code, identical command names, overlapping infrastructure, and the shared OWNERS list across all the compromised packages.

Developers who may have installed any of the identified malicious packages are strongly advised to remove them immediately. Furthermore, they should rotate all credentials on the affected server and revoke their Telegram bot tokens to mitigate the risk of further compromise. Checkmarx has provided indicators of compromise, including the attacker's Telegram IDs and profile URLs, to aid in detection and remediation efforts.

Synthesized by Vypr AI