Malicious PyPI package ‘pyronut’ backdoored Telegram bots with remote code execution

A malicious Python package called pyronut briefly appeared on PyPI and targeted developers who build Telegram bots with the Pyrogram framework. Security researchers say the package acted like a trojanized copy of pyrogram and installed a hidden runtime backdoor that let an attacker run Python code and shell commands on a victim machine after the bot started.

The package matters because it did not depend on a common typo trick. Instead, the actor copied the real project’s description and code structure closely enough to look believable, then relied on trust and community distribution to reach victims. Endor Labs says all three known malicious versions, 2.0.184, 2.0.185, and 2.0.186, were published, identified, and quarantined on March 18, 2026.

That short window likely limited the number of victims. Still, the risk was serious for anyone who installed the package and then ran a Telegram bot or userbot with it. The payload did not fire during install. It activated only when the Telegram client started, which helped it avoid some early detection checks.

Pyrogram itself remains widely used, with about 371,742 downloads in the last month according to PyPI Stats. Its own documentation also notes that the project is no longer maintained or supported, which makes impersonation attempts more concerning for developers who still depend on it in production.

What happened

Researchers at Endor Labs said pyronut impersonated pyrogram, a Python framework used to interact with Telegram through MTProto. The malicious package copied the upstream project description and pointed users to a GitHub repository URL that did not work, a sign that the package likely spread through social promotion rather than random discovery.

The hidden change sat inside the startup flow. Endor Labs found that the attacker modified Client.start() so it silently imported a rogue module named pyrogram/helpers/secret.py every time the client launched. The code wrapped the call in a silent try/except block, so the bot would keep running even if the backdoor hit an error.

Once active, the backdoor registered message handlers tied to two hardcoded Telegram account IDs. One command, /e, used the meval library to execute arbitrary Python code inside the live Telegram session. Another command, /shell, passed commands to /bin/bash, which gave the attacker direct system-level execution on the host.

Because command output returned through Telegram itself, the activity could blend in better than malware that talks to a separate command-and-control server. Network defenders would still catch some abuse if the attacker later downloaded tools or opened outbound connections, but the initial control path was much quieter than a typical external beacon.

Why this attack stands out

This was not a classic typo package. pyronut and pyrogram do not look close enough for a normal misspelling trap. Endor Labs described it as a malicious fork instead, meaning a copied project that appears legitimate but contains hidden hostile logic.

The runtime trigger also made the package harder to spot. Many malicious PyPI packages try to run code during installation. This one waited until a developer actually launched the Telegram client, which reduced the odds that simple install-time checks would catch it.

PyPI’s quarantine system helped reduce the exposure window. PyPI says quarantined projects become non-installable and cannot be modified by maintainers until an administrator reviews them. That matters here because it means the package could be blocked quickly once flagged.

Affected package versions

Package	Malicious versions	First seen	Status
pyronut	2.0.184	March 18, 2026	Quarantined
pyronut	2.0.185	March 18, 2026	Quarantined
pyronut	2.0.186	March 18, 2026	Quarantined

Source for version details: Endor Labs.

What attackers could do after compromise

If a bot started with the malicious package installed, the attacker could potentially:

• Run arbitrary Python code inside the Telegram session
• Run shell commands on the host system
• Access environment variables and credentials available to the process
• Steal bot tokens, API keys, SSH keys, or database secrets
• Read or manipulate Telegram messages and bot activity
• Use the compromised machine as a stepping stone for more attacks

These outcomes reflect Endor Labs’ analysis of the /e and /shell handlers and its recommendation to treat accessible secrets as exposed.

What developers should do now

Developers who installed pyronut should remove it immediately and rebuild the environment from a clean state. Endor Labs also recommends rotating all credentials that the bot process could access, revoking Telegram bot tokens, and terminating active Telegram sessions.

Teams should also inspect dependency files such as requirements.txt, Pipfile, pyproject.toml, and setup.py for unexpected packages. Hash pinning and lockfiles can reduce the chance of silent package substitution in future builds.

This case also shows why developers should verify package provenance, especially for projects distributed through chats, community groups, or tutorials. A copied description and familiar branding can be enough to fool users when a package looks functional at first glance. PyPI has repeatedly warned that users should not treat every package on the index as trusted by default.

Quick response checklist

• Search your dependency files for pyronut
• Delete affected virtual environments
• Rebuild from known-good dependencies
• Rotate all secrets exposed to the process
• Revoke Telegram bot tokens and end active sessions
• Review logs for suspicious bot startup activity
• Enforce lockfiles and hash pinning in CI/CD

FAQ