Skip to content

Trojanized Pyrogram Packages Compromise Telegram Bot Servers

The gist: Trojanized PyPI packages enable attackers to read arbitrary files on servers running Telegram bots with Pyrogram.

Since November 2024, attackers have been distributing manipulated Pyrogram forks via the Python package repository PyPI to extract files from servers of Telegram bot developers.

Since November 2024, a campaign has been targeting Python developers who build Telegram bots using the Pyrogram framework. Attackers have uploaded fake versions of the Pyrogram package to PyPI – the official repository for Python dependencies – to trick developers into downloading these trojanized variants.

The manipulated packages contain backdoor functionality that allows attackers to extract arbitrary files from compromised servers. This can provide access to sensitive configuration data, API keys, database credentials, and other protected information required for bot operations.

For CISOs, this is relevant because the supply chain via public package repositories represents a persistent risk. Development teams could unwittingly install such counterfeit dependencies, especially when packages have similar or subtly different names (typosquatting). A dependency management strategy with package signature verification, regular audits of production dependencies, and blocklists of known malicious PyPI packages become necessary to detect and prevent such attacks.


Source: www.bleepingcomputer.com · Published June 30, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: