“When the attacker sends /asu print(os.environ) to the victim’s bot, this function compiles and executes that Python code on the victim’s machine — with full access to the live Telegram client, session, chats, contacts, and environment variables,” Checkmarx explains.
What the campaign is and where it lived
Researchers at Checkmarx have documented a supply-chain campaign they call "Operation Navy Ghost" that ran on the Python Package Index (PyPI) between November 2025 and June 2026. The attacker published trojanized forks of the popular Pyrogram project — a Python MTProto API framework used to build Telegram users and bots — embedding a hidden backdoor that activates when an infected package is imported or when an infected bot starts.
The malicious PyPI packages and their reach
Checkmarx identified at least eight malicious PyPI packages. The report lists package names and the recorded download counts on PyPI during the campaign window:
- VLifeGram — nine versions, 4,150 downloads
- VLife-Gram — five versions, 1,030 downloads
- pyrogram-navy — six versions, 2,530 downloads
- pyrogram-styled — more than 16 versions with 15,370 versions
- pyrogram-zeeb — one version, 432 downloads
- kelragram — three versions, 1,041 downloads
- sepgram — one version, 264 downloads
- pyrogram-kelra — one version, 672 downloads
Although the Pyrogram project is no longer maintained, it remains widely used: Checkmarx quotes nearly 350,000 monthly downloads on PyPI (last updated in April 2023) and more than 1,400 forks on GitHub (last updated in December 2024). The attacker exploited that popularity by publishing forks of the original source code that included an additional malicious module.
How the backdoor works
Each infected fork contains a file named secret.py hidden inside a helpers module. That file registers Telegram command handlers that are invisible to the bot owner’s normal operation. The handlers allow remote execution of arbitrary Python code and shell commands under the authority of the running bot process.
Checkmarx gives concrete examples of the commands and effects: sending /asu print(os.environ) results in the victim bot compiling and executing that Python code with full access to the live Telegram client, session, chats, contacts, and environment variables. Sending /asi cat /etc/passwd runs /bin/bash -c "cat /etc/passwd" on the victim server and returns the output. Outputs larger than 4,096 bytes are returned as document attachments via Telegram.
The backdoor contains a hardcoded OWNERS list of Telegram IDs that grants exclusive control to the attacker and also serves to disable the backdoor if it runs on machines controlled by those IDs. The malware is designed to operate silently: it suppresses errors and disables logging. Checkmarx observed the backdoor activates only on Telegram bot accounts, a deliberate choice because bots typically run in production environments.
Attribution, indicators, and the immediate remediation checklist
Although the malicious packages were published from different PyPI accounts, Checkmarx attributes the campaign to a single threat actor. That attribution rests on a shared OWNERS list across packages, identical backdoor code, matching command names and handlers, and overlapping infrastructure. Checkmarx has published indicators of compromise, including the malicious Telegram IDs and attacker profile URLs.
Checkmarx's recommended immediate actions for anyone who installed the listed packages are explicit: remove the malicious packages, rotate all credentials on the affected server, and revoke Telegram bot tokens. The report also notes the consequences of not doing so — once a bot is active, an attacker can read arbitrary files on the server, dump secrets, access Telegram chats, download databases, and install persistent backdoors.
What this means for developers, Telegram bot operators, and maintainers
Developers building Telegram bots: packages that appear to be Pyrogram forks can carry active remote-execution payloads. If you used any of the named packages, follow Checkmarx’s guidance: uninstall, rotate credentials, and revoke bot tokens.
Telegram bot operators in production: the backdoor targets bot accounts specifically and is designed to run without obvious errors or logs, meaning attackers can reach databases, credentials, cloud APIs, and other sensitive infrastructure while remaining quiet.
Open-source maintainers and package auditors: the campaign illustrates how forks of an unmaintained but popular project can be weaponized. Shared code, identical backdoors, and reused configuration (the OWNERS list) provided the linking evidence that allowed analysts to group the packages into a single campaign.
Operation Navy Ghost is a reminder that supply-chain threats can be surgical: a single hidden helper module compiled into widely used forks gave attackers a direct, low-friction route into live bot instances and the infrastructure those bots run on. Developers who rely on third-party PyPI packages — especially forks of unmaintained projects — now have a concrete list of names to check and immediate steps to follow.
