Malicious ‘Pyronut’ Package Backdoors Telegram Bots With Remote Code Execution

A malicious Python package named pyronut has been discovered on the Python Package Index (PyPI), targeting developers who build Telegram bots by impersonating the popular pyrogram framework.

Rather than relying on typosquatting — where a name resembles a legitimate one — the threat actor copied pyrogram’s entire project description word-for-word, creating what researchers describe as a malicious fork, a trojanized copy designed to reach victims through social engineering.​

The pyrogram framework attracts roughly 370,000 downloads every month, making it a high-value target for this type of impersonation. 

Pyronut copied pyrogram’s project page without adding any new features, and its listed GitHub repository URL pointed to a page that did not exist.

This suggests the package was distributed through Telegram communities and developer forums rather than discovered by accident. Three versions were published — 2.0.184, 2.0.185, and 2.0.186 — all malicious.​

Endor Labs researchers identified all three versions on March 18, 2026 — the same day they appeared on PyPI — and had them quarantined within hours. This swift response kept the attack window short and reduced the number of developers at risk.

Still, any developer whose bot ran the package during that brief window was fully exposed to compromise.​

What made pyronut especially difficult to detect was its runtime activation strategy. Unlike most malicious packages that execute harmful code through setup.py hooks at installation time, pyronut stayed completely dormant until a developer actually ran their bot.

It embedded a hidden backdoor module at pyrogram/helpers/secret.py, which loaded silently every time the Telegram client started, bypassing standard install-time security checks entirely.​

The consequences of a successful infection were severe. Once the backdoor activated, the attacker gained dual Remote Code Execution (RCE) capabilities — the power to run arbitrary Python code and arbitrary shell commands on the victim’s machine.

This opened the door to credential theft, data exfiltration, lateral movement across systems, and complete takeover of the victim’s active Telegram session.

Runtime Backdoor: How the Attack Operated

The backdoor activated the moment a developer called the Client.start() method, a core step in how any pyrogram-based Telegram bot initializes.

The threat actor had modified this method inside pyrogram/methods/utilities/start.py to silently import and run the hidden secret.py module each time a client started.

Critically, the entire call was wrapped in a bare try/except: pass block, so if the backdoor encountered any error, it failed silently and the bot continued running as normal.​

Once running, the backdoor registered two hidden message handlers on the victim’s Telegram client, tied to two hardcoded attacker account IDs.

The first handler, triggered by the /e command, used the meval library to run arbitrary Python code inside the live session, granting full access to messages, contacts, and Telegram API functions.

The second handler, /shell, passed commands directly to /bin/bash via subprocess, giving the attacker unrestricted system access. The backdoor also skipped installation on the attacker’s own accounts — a clear mark of deliberate malicious intent.​

Command outputs were sent back to the attacker through Telegram itself, with results returned in the same chat where commands were issued.

This meant the operation left no unusual external network connections, no suspicious DNS queries, and no C2 domains for monitoring tools to flag — making the backdoor extremely hard to detect through conventional network analysis.​

Developers who may have installed pyronut should immediately uninstall the package and rebuild affected virtual environments from a clean, verified state.

All environment variables, API keys, SSH keys, and database passwords accessible to the compromised process should be treated as exposed and rotated right away. Active Telegram sessions must be terminated and all Bot API tokens revoked immediately.

Dependency files such as requirements.txt, Pipfile, and pyproject.toml should be reviewed regularly for unexpected packages, and lockfiles with cryptographic hash pinning should be used to prevent silent substitutions.

Running applications under the principle of least privilege and integrating Software Composition Analysis tools into CI/CD pipelines will significantly reduce exposure to similar supply chain attacks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.