Operation Navy Ghost PyPI supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
The Operation Navy Ghost campaign has targeted Python developers building Telegram bots through trojanized Pyrogram forks, creating a supply-chain path to compromised servers. The malicious packages can expose arbitrary files, Telegram chats, and credentials, and can execute attacker-supplied Python or shell commands. Researchers tied the activity to at least eight PyPI packages published between November 2025 and June 2026.
Related Happenings
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware Activity
H score14
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
How related:
The malicious file registers hidden Telegram command handlers when an infected bot launches, which enables the execution of attacker-supplied Python code or shell commands.
About this happening:
Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware ActivityHow related: The malicious file registers hidden Telegram command handlers when an infected bot launches, which enables the execution of attacker-supplied Python code or shell commands.
About this happening: Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
H score34
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
H score29
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Elementary-data package hit by network compromise
Incident
H score36
First: 27.04.2026 18:17
Last: 27.04.2026 18:17
Sources 1
About this happening:
The **elementary-data** project suffered a **malicious release compromise** that exposed users of **PyPI** and **GitHub Container Registry** to a backdoored package and image. An...
Elementary-data package hit by network compromise
IncidentAbout this happening: The **elementary-data** project suffered a **malicious release compromise** that exposed users of **PyPI** and **GitHub Container Registry** to a backdoored package and image. An...
Timeline
-
01.07.2026 00:02 2 articles · 3h ago
Checkmarx details Operation Navy Ghost trojanized Pyrogram forks on PyPI
Initial DisclosureCheckmarx details Operation Navy Ghost, a supply-chain campaign targeting Python developers building Telegram bots with trojanized Pyrogram forks published on PyPI between November 2025 and June 2026. The malicious forks included a hidden backdoor in secret.py that activated when infected bots imported Pyrogram or started, then registered hidden Telegram command handlers so attackers could run Python code or shell commands, read arbitrary files, and access chats, credentials, and other data on compromised servers.
Show sources
- Malicious PyPI packages give hackers control of Telegram bot servers — www.bleepingcomputer.com — 01.07.2026 00:02
- Malicious PyPI packages give hackers control of Telegram bot servers — www.bleepingcomputer.com — 01.07.2026 00:02