A newly discovered malicious Python package, dubbed ‘Pyronut’, has been found on the Python Package Index (PyPI), posing a significant threat to developers building Telegram bots. Pyronut actively impersonates the popular ‘pyrogram’ framework, a tool used by hundreds of thousands of developers monthly. Instead of traditional typo-squatting tactics, the attackers employed a more sophisticated approach by creating a malicious fork, copying the entire project description of ‘pyrogram’ to deceive unsuspecting users through social engineering.
The discovery was made by researchers at Endor Labs on March 18, 2026, the same day three malicious versions (2.0.184, 2.0.185, and 2.0.186) were published on PyPI. These versions were quickly quarantined, significantly shortening the attack window. However, any developer who had installed and run the package during this brief period was fully exposed to the compromise detailed in the ‘Pyronut’ package’s backdoor capabilities.
Runtime Backdoor: How the ‘Pyronut’ Attack Operated
What made ‘Pyronut’ particularly insidious was its runtime activation strategy. Unlike many malicious packages that execute harmful code during the installation process via ‘setup.py’ hooks, ‘Pyronut’ remained dormant until the developer actually ran their bot. This hidden backdoor module was embedded at ‘pyrogram/helpers/secret.py’, and it would load silently every time the Telegram client started, effectively bypassing standard install-time security checks entirely.
The consequences of a successful infection were severe, granting the attacker dual Remote Code Execution (RCE) capabilities. This meant the attacker could run arbitrary Python code and arbitrary shell commands on the victim’s machine. This level of access could lead to widespread compromise, including credential theft, data exfiltration, lateral movement across connected systems, and complete takeover of the victim’s active Telegram session. The ‘Pyronut’ package backdoors Telegram bots with remote code execution, making it a critical threat.
The backdoor’s activation was triggered by the ‘Client.start()’ method, a fundamental step for initializing any ‘pyrogram’-based Telegram bot. The threat actor modified this method within ‘pyrogram/methods/utilities/start.py’ to silently import and execute the hidden ‘secret.py’ module. Importantly, this entire process was wrapped in a bare ‘try/except: pass’ block. This meant that if the backdoor encountered any errors, it would fail silently, allowing the bot to continue running without raising suspicion.
Once activated, the backdoor established two hidden message handlers within the victim’s Telegram client. These handlers were tied to hardcoded attacker account IDs. The first handler, activated by the ‘/e’ command, utilized the ‘meval’ library to execute arbitrary Python code directly within the live session. This granted the attacker comprehensive access to messages, contacts, and Telegram API functions. The second handler, ‘/shell,’ directly passed commands to ‘/bin/bash’ via subprocess, offering the attacker unrestricted system-level access.
Command outputs were surreptitiously sent back to the attacker through Telegram itself, appearing in the same chat where the commands were issued. This method of exfiltration left no discernible trace of unusual external network connections, suspicious DNS queries, or Command and Control (C2) domains that could be flagged by conventional monitoring tools, making the backdoor exceptionally difficult to detect through standard network analysis.
Recommendations for Developers
Developers who suspect they may have installed ‘Pyronut’ are strongly advised to immediately uninstall the package. It is crucial to rebuild affected virtual environments from a clean, verified state. All environment variables, API keys, SSH keys, and database passwords that were accessible to the compromised process should be treated as exposed and rotated promptly. Active Telegram sessions must be terminated, and all Bot API tokens should be revoked without delay.
Furthermore, dependency files such as ‘requirements.txt’, ‘Pipfile’, and ‘pyproject.toml’ should be regularly reviewed for any unexpected packages. The use of lockfiles with cryptographic hash pinning is highly recommended to prevent silent substitutions of legitimate packages with malicious ones. Adopting the principle of least privilege for running applications and integrating Software Composition Analysis (SCA) tools into Continuous Integration/Continuous Deployment (CI/CD) pipelines can significantly reduce exposure to similar supply chain attacks.
The swift action by Endor Labs in quarantining the ‘Pyronut’ package minimized the immediate risk. However, the incident underscores the ongoing threat posed by supply chain attacks within the software development ecosystem. Developers must remain vigilant, continuously update security practices, and rigorously vet dependencies to safeguard their projects and sensitive data from evolving threats. The ongoing monitoring of PyPI for similar impersonation tactics remains a critical priority for the security community.