Operation Navy Ghost Targets Telegram Bot Developers with Malicious PyPI Packages

A malware campaign named Operation Navy Ghost has been targeting Python developers creating Telegram bots by distributing trojanized forks of the popular Pyrogram library. Between November 2025 and June 2026, at least eight malicious packages were published on the Python Package Index (PyPI), each containing a backdoor that allows attackers to gain full control over compromised servers. The backdoor, hidden in a file named secret.py, activates when the bot starts, enabling attackers to execute arbitrary commands and exfiltrate sensitive data. The Pyrogram library, which has nearly 350,000 monthly downloads, remains popular despite being unmaintained. The malicious packages have since been removed from PyPI, but they may still exist in private registries or on developer machines. Organizations are advised to check for these packages and monitor their environments for signs of compromise. The attackers use Telegram for command and control, complicating detection and mitigation efforts.

Key Points: • Operation Navy Ghost targets Telegram bot developers with trojanized Pyrogram forks. • At least eight malicious packages were published on PyPI containing a backdoor for remote control. • Affected organizations should check for these packages and monitor for signs of compromise.