Operation Navy Ghost: Malicious PyPI Packages Hijack Telegram Bot Servers
A sophisticated campaign dubbed 'Operation Navy Ghost' has been targeting Python developers using **Pyrogram** to build Telegram bots. Attackers are distributing trojanized **PyPI** packages that grant them arbitrary file read access and remote code execution capabilities on compromised servers, posing a significant supply chain risk.
Since November 2025, a persistent campaign has been leveraging the **Python Package Index (PyPI)** to distribute malicious forks of the popular **Pyrogram** library. These trojanized packages, once integrated into a Telegram bot, enable attackers to execute arbitrary code and read sensitive files on the host server.
### The Allure of Pyrogram
**Pyrogram**, an 'elegant, modern and asynchronous Telegram MTProto API framework,' remains widely used despite no longer being actively maintained. With nearly 350,000 monthly downloads and over 1,400 **GitHub** forks, its popularity makes it a prime target for supply chain attacks.
### Operation Navy Ghost Uncovered
Security researchers at **Checkmarx** identified and detailed this campaign, naming it 'Operation Navy Ghost.' Between November 2025 and June 2026, the threat actor published at least eight malicious **Pyrogram** forks on **PyPI**.
These include:
* **VLifeGram** (nine versions, 4,150 downloads)
* **VLife-Gram** (five versions, 1,030 downloads)
* **pyrogram-navy** (six versions, 2,530 downloads)
* **pyrogram-styled** (over 16 versions, 15,370 downloads)
* **pyrogram-zeeb** (one version, 432 downloads)
* **kelragram** (three versions, 1,041 downloads)
* **sepgram** (one version, 264 downloads)
* **pyrogram-kelra** (one version, 672 downloads)
### The Backdoor: `secret.py`
The malicious packages are forks of the legitimate **Pyrogram** project, incorporating the original source code. However, they also contain a hidden backdoor file named `secret.py` within the `helpers` module. This backdoor activates when an infected bot launches or when **Pyrogram** is imported, registering hidden Telegram command handlers.

This functionality allows attackers to execute Python code or shell commands remotely. As **Checkmarx** explains, sending commands like `/asu print(os.environ)` can compile and execute Python code with full access to the Telegram client, session, chats, contacts, and environment variables. Similarly, `/asi cat /etc/passwd` executes shell commands, returning the output via Telegram messages, or as a document attachment if it exceeds 4096 bytes.
### Silent Operation and Targeted Exploitation
The backdoor is designed for stealth, suppressing errors and disabling logging. It specifically targets Telegram bot accounts, which typically operate in production environments. This indicates the attacker's intent to gain access to critical assets such as databases, credentials, cloud APIs, and sensitive infrastructure.

The malware includes a hardcoded 'OWNERS' list of Telegram IDs, granting exclusive control to the threat actors and deactivating the backdoor on their own systems. **Checkmarx** attributes the campaign to a single actor due to the shared 'OWNERS' list, identical backdoor code, command names, and overlapping infrastructure.
Once active, the attacker can read any file on the server, dump secrets, access the victimβs Telegram chats, download databases, and install persistent backdoors.
### Recommendations for Developers
Developers who have installed any of the listed malicious packages are urged to take immediate action:
* Remove the packages without delay.
* Rotate all credentials on the affected server.
* Revoke their Telegram bot tokens.
**Checkmarx** has provided indicators of compromise, including malicious Telegram IDs and attacker profile URLs, to assist in identification and mitigation.