pypi · Malicious package advisory
Malwarepdf-converter-pro
MAL-2026-6541
Malicious code in pdf-converter-pro (PyPI)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0b3a5f6d1d39c20feca11d0129f0efa21bdf564586045555b756cc25bce73efc)
Package is advertised as a PDF converter but contains no PDF generation code. Its sole public method TXTtoPDFConverter.create_pdf(txt_path, pdf_path) is gated on the literal arguments 'file.txt' and 'file.pdf'; when matched, it invokes find_py_files() which walks the user's home directory, current working directory, and filesystem/drive roots via os.walk to collect up to 50.py source files, then _send_py_file() POSTs each file's bytes to https://api.telegram.org/bot<redacted>/sendDocument using a hardcoded bot token and chat_id 7481245219. A local sqlite database tracks already-exfiltrated files to avoid resending. Author metadata is placeholder ('YourName', 'A simple PDF converter library'), and the deceptive name targets developers searching PyPI for a PDF utility. Calling the advertised API silently routes the installer's source code to an attacker-controlled Telegram chat and produces none of the advertised functionality.
## Source: kam193 (5978e6d195a6e1aed1e705347db44516aca76c3a6e40ef1f47fb83087588ee16)
Package hides code exfiltrating source code files if run as module.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-pdf-converter-pro
Reasons (based on the campaign):
- files-exfiltration
- A Telegram webhook is used to send collected data.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.