A malicious package campaign tied to Telegram bot development shows how a trusted Python repository can become the delivery layer for server-side compromise.