Security researchers at Checkmarx have identified a sustained supply-chain campaign targeting Python developers who build Telegram bots using the Pyrogram framework. Dubbed Operation Navy Ghost, the effort has been active since at least November 2025 and spans at least eight trojanized packages published to the Python Package Index (PyPI), collectively accumulating more than 25,000 downloads.

The Packages and Their Reach

All eight packages are structurally legitimate forks of Pyrogram, preserving the original source code to avoid suspicion. The malicious additions were introduced through a file named secret.py, planted inside the helpers module. The packages identified by Checkmarx include:

  • VLifeGram (nine versions, approximately 4,150 downloads)
  • VLife-Gram (five versions, approximately 1,030 downloads)
  • pyrogram-navy (six versions, approximately 2,530 downloads)
  • pyrogram-styled (more than 16 versions, approximately 15,370 downloads)
  • pyrogram-zeeb (one version, approximately 432 downloads)
  • kelragram (three versions, approximately 1,041 downloads)
  • sepgram (one version, approximately 264 downloads)
  • pyrogram-kelra (one version, approximately 672 downloads)

Pyrogram itself, though no longer maintained, remains widely used with roughly 350,000 monthly downloads on PyPI. Its large install base makes it a practical target for this kind of typosquatting and fork-based attack.

How the Backdoor Operates

When an infected bot starts, secret.py registers hidden Telegram command handlers that are invisible to the bot’s legitimate operator. Attackers can send specially crafted Telegram messages to trigger two primary capabilities: arbitrary Python code execution with full access to the live Telegram client, session data, and environment variables; and arbitrary shell command execution, with output returned directly to the attacker via Telegram messages. If command output exceeds 4,096 bytes, it is automatically delivered as a document attachment.

The backdoor is deliberately scoped to Telegram bot accounts rather than userbots, which typically run in production server environments. This design choice signals that the attacker is specifically after databases, stored credentials, cloud API keys, and other sensitive infrastructure resources.

A hardcoded list of Telegram account IDs controls who can issue commands. This same list also serves a dual purpose: it prevents the backdoor from activating when it runs on the attacker’s own systems. Error suppression and disabled logging help the malware remain silent during operation.

Attribution and Infrastructure

Despite the packages being published from distinct PyPI accounts, Checkmarx attributes all activity to a single threat actor. The basis for this attribution includes the shared hardcoded owner list, identical backdoor logic, consistent command naming conventions, and overlapping infrastructure across all eight packages.

Recommended Response

Developers who have installed any of the listed packages should take the following steps immediately:

  • Remove the affected package and audit any systems where it was deployed.
  • Rotate all credentials and secrets accessible from the compromised environment.
  • Revoke and regenerate Telegram bot tokens associated with affected bots.

Checkmarx has published indicators of compromise, including the attacker’s Telegram IDs and profile URLs, to assist defenders in identifying exposure.