A counterfeit Python package quietly backdoored Telegram bots, giving attackers remote command over both chat sessions and server systems.