Malicious ‘Pyronut’ Package Backdoors Telegram Bots With Remote Code Execution

The Python Package Index (PyPI) has found a malicious Python package called pyronut that pretends to be the popular pyrogram framework and targets developers who make Telegram bots. Instead of using typosquatting, which is when a name looks like a real one, the threat actor copied the whole project description of pyrogram word for word. Researchers call this a "malicious fork," a trojanized copy made to trick people into giving up their information.

The pyrogram framework gets about 370,000 downloads a month, which makes it a good target for this kind of impersonation. Pyronut copied the project page from Pyrogram but didn't add any new features. The GitHub repository URL it listed led to a page that didn't exist.

This means that the package was probably sent out through Telegram groups and developer forums instead of being found by chance. If a process is compromised, all of its environment variables, API keys, SSH keys, and database passwords should be treated as exposed and changed right away. You need to end all active Telegram sessions right away and take back all Bot API tokens.

Requirements.txt, Pipfile, and pyproject are examples of dependency files.You should check toml files often for packages that you didn't expect, and you should use lockfiles with cryptographic hash pinning to stop silent substitutions. Using the principle of least privilege when running apps and adding Software Composition Analysis tools to CI/CD pipelines will greatly lower the risk of similar supply chain attacks. Follow ZeroOwl on LinkedIn, X, and Google to get more instant updates.