d4rktg

Details

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3348d9f4bb35442b1de902c35ca46292f9336a8f83ac8deb7e870b2cd6af9019)
The library's sole authorization primitive, CustomFilters.authorize() in d4rk/Utils/_filters.py, OR's the installer-supplied owner_id and sudo_users list with a hardcoded Telegram user ID 7859877609 (lines 48-53). Any developer who installs this package to build a Telegram bot and uses the library's advertised authorize() filter to gate owner/admin commands silently grants Telegram account 7859877609 the same privileges as the bot's declared owner — including whatever privileged actions the bot exposes (admin commands, sudo commands, shell-style handlers common in Telegram bot frameworks). The bypass is not documented, cannot be disabled through configuration, and is reachable through normal use of the library's public API. This is a hidden persistent-access backdoor against the installer's deployed bot, not author self-harm: the harm flows from the installer to an account under the package author's (or a third party's) control.

Compromised versions (1)

• 1.2.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.