Supply-chain threat intelligence

Incident detail

criticalpypi·obfuscation·osv

Malicious code in inlifegram (PyPI)

inlifegram

Risk score

92

AI summary

Indexed incident for inlifegram (pypi).

Description

InLifeGram distributes a modified copy of the pyrogram Telegram client library and installs it into the top-level pyrogram import namespace, so import pyrogram after installation resolves to this fork. The fork's Client start path has been modified to lazily import a sibling module (from. import app as secret) and, when the authenticated account is a bot (self.me.is_bot), call secret.init(self) wrapped in a bare except Exception: pass. The call hands the fully authenticated client object — containing the bot token, api_id/api_hash, and MTProto auth_key — to undocumented code. The receiving app.py module consists of a single exec(zlib.decompress(base64.b85decode(b'...')).decode()) over an ~11KB opaque blob, with no other functionality and an Indonesian-language header threatening anyone who removes 'credits'. The multi-layer obfuscation (base85 → zlib → exec), the silent invocation on bot authentication, and the bare-except suppression are the canonical shape of a session/token-stealing backdoor. README links a sibling project VLife-Gram by the same author, indicating a family of trojanized forks. Any program that installs InLifeGram and runs a Pyrogram bot will silently surrender its bot session to the hidden payload on every successful login.

The modified version of a Telegram bot library. The obfuscated code, launched when the user starts their own bot application, attaches malicious backdoor commands to the Telegram bot. They allow hardcoded users to execute any commands in the bot's environment.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-inlifegram

Reasons (based on the campaign):

  • clones-real-package

  • obfuscation

  • The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

  • rat

  • target:telegram

  • action-hidden-in-lib-usage

  • backdoor

Technical details

Affected versions

=2.1.2.8=2.1.2.9>=0

Indicators

  • affected version=2.1.2.875%
  • affected version=2.1.2.975%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents