What Happened
Attackers published at least eight malicious packages to the Python Package Index (PyPI), each pretending to be a legitimate fork of Pyrogram, a popular Python framework for building Telegram bots. Checkmarx researchers called this campaign "Operation Navy Ghost." The packages contained hidden backdoors that allowed remote execution of arbitrary Python code or shell commands on any server that installed them.
The target was developers running Telegram bot servers, and the payload was full control of the compromised infrastructure.
Pyrogram itself is unmaintained—its last commit was years ago. Yet it still pulls nearly 350,000 monthly downloads. The attackers exploited this gap: a widely-used library with no active maintainer to spot malicious forks or warn the community.
Timeline
Pre-incident: Pyrogram development stops. The project remains popular but receives no security updates or maintenance.
Attack phase: Attackers create packages with names similar to Pyrogram forks (specific package names not disclosed in the reporting). They publish these to PyPI with backdoor code embedded in the installation or initialization routines.
Discovery: Checkmarx security researchers identify the malicious packages during routine monitoring of PyPI submissions.
Current state: The packages have been removed from PyPI. The number of affected installations remains unknown.
Which Controls Failed or Were Missing
Dependency verification: Teams installed packages without verifying publisher identity, package signatures, or comparing checksums against known-good versions.
Supply chain visibility: Organizations lacked inventory systems that would flag the introduction of a new dependency—especially a fork of an existing one.
Runtime monitoring: The backdoor enabled outbound connections and command execution. Standard network monitoring or EDR tools should have detected this, but either weren't deployed or weren't configured to alert on these patterns.
Package vetting: No manual or automated review occurred before adding these dependencies to production systems. The packages would have failed basic static analysis: backdoor code that opens network sockets and executes arbitrary commands is detectable.
Unmaintained dependency tracking: Teams continued using Pyrogram despite its abandoned status. No process existed to identify and remediate dependencies that no longer receive security updates.
What the Standards Require
PCI DSS v4.0.1 Requirement 6.3.2 mandates that you maintain an inventory of bespoke and custom software and third-party components. This includes tracking version numbers and whether each component is still supported. If your payment processing systems use Python dependencies, this requirement applies directly.
OWASP ASVS v4.0.3 Requirement 14.2.1 states: "All components should be up to date with proper security configuration(s) and version(s)." An unmaintained library with 350,000 monthly downloads fails this requirement by definition.
NIST 800-53 Rev 5 Control SA-10 (Developer Configuration Management) requires organizations to track and control changes to software components throughout the development lifecycle. Installing a fork of a known dependency without documenting why, who approved it, and what changed violates this control.
ISO 27001 Control 8.31 (Separation of development, test and production environments) doesn't prevent this attack directly, but proper environment separation would limit the blast radius. If your bot servers run in production environments that can reach sensitive systems, a compromised dependency becomes a lateral movement vector.
SOC 2 Type II Common Criteria CC7.1 requires you to detect and respond to security events. A backdoor that executes shell commands and opens network connections generates detectable events—but only if you're monitoring for them.
Lessons and Action Items for Your Team
Create a dependency approval process. Before any new package enters your codebase:
- Verify the publisher identity matches the official project
- Check the package's Git repository for recent commits and active maintainers
- Compare the package checksum against official sources
- Run static analysis to detect suspicious network calls or command execution
Inventory your unmaintained dependencies now. Run pip list --outdated or your language's equivalent. For each package that hasn't been updated in over a year, check its repository. If development has stopped, you have three options: find an actively maintained fork, contribute maintenance yourself, or replace it. Document your decision and timeline.
Deploy runtime monitoring that flags command execution. Your EDR or SIEM should alert when a Python process spawns a shell or makes unexpected network connections. For Telegram bots specifically, whitelist the official Telegram API endpoints and alert on any other outbound traffic.
Implement package signature verification. PyPI supports package signing through Sigstore. Configure your package manager to reject unsigned packages or packages signed by untrusted keys. Yes, this will slow down your dependency updates. That's the point.
Separate bot infrastructure from production systems. Run your Telegram bots in isolated network segments with strict egress filtering. They should only reach Telegram's API and any explicitly approved services. If a bot gets compromised, the attacker shouldn't be able to pivot to your database servers or internal APIs.
Monitor for dependency confusion attacks. Set up alerts for new packages published to PyPI that match your internal package names or are forks of your dependencies. Attackers often test variations of popular package names to see what gets installed.
Review your incident response plan. If you discovered a backdoored package in production right now, what would you do? Who would you notify? How would you identify all affected systems? How would you verify that the attacker didn't establish persistence? Write down the answers before you need them.
The Pyrogram campaign succeeded because teams treated package installation as a convenience operation rather than a trust decision. Every pip install is a vote of confidence in a stranger's code. Make it a conscious choice.



