A campaign dubbed Operation Navy Ghost has been targeting Python developers who build Telegram bots by publishing trojanized Pyrogram forks on PyPI. The hidden backdoor, secret.py, can execute attacker-supplied Python or shell commands, steal files and secrets, and exfiltrate data from infected servers. #OperationNavyGhost #Pyrogram #PyPI
Keypoints
- Attackers published at least eight malicious Pyrogram forks on PyPI.
- The packages hide a backdoor in a file named secret.py inside the helpers module.
- The malware activates when importing Pyrogram or when an infected bot starts.
- It can run arbitrary Python code and shell commands on compromised servers.
- Checkmarx says the campaign targets Telegram bot accounts and likely seeks sensitive infrastructure access.