{"id":"MAL-2026-3688","summary":"Malicious code in d4rktg (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3348d9f4bb35442b1de902c35ca46292f9336a8f83ac8deb7e870b2cd6af9019)\nThe library's sole authorization primitive, CustomFilters.authorize() in d4rk/Utils/_filters.py, OR's the installer-supplied owner_id and sudo_users list with a hardcoded Telegram user ID 7859877609 (lines 48-53). Any developer who installs this package to build a Telegram bot and uses the library's advertised authorize() filter to gate owner/admin commands silently grants Telegram account 7859877609 the same privileges as the bot's declared owner — including whatever privileged actions the bot exposes (admin commands, sudo commands, shell-style handlers common in Telegram bot frameworks). The bypass is not documented, cannot be disabled through configuration, and is reachable through normal use of the library's public API. This is a hidden persistent-access backdoor against the installer's deployed bot, not author self-harm: the harm flows from the installer to an account under the package author's (or a third party's) control.\n","modified":"2026-05-13T20:22:39.153272Z","published":"2026-05-13T05:33:46Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.2.7"],"sha256":"3348d9f4bb35442b1de902c35ca46292f9336a8f83ac8deb7e870b2cd6af9019","id":"IN-MAL-2026-002624","import_time":"2026-05-13T20:11:02.997258114Z","modified_time":"2026-05-13T05:33:46Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/d4rktg/1.2.7/"}],"affected":[{"package":{"name":"d4rktg","ecosystem":"PyPI","purl":"pkg:pypi/d4rktg"},"versions":["1.2.7"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha256":"ef1ff0ae0167416aebf4b7dde819f6e2b84c07b8140c25f4921fe98adcea4118","md5":"303a194bd545221a822538ff5d414222","blake2b_256":"210c03bc7fddc03bce10cc68b537751ec29a46f6f4585e2f3623abedac9c48ee"},"filename":"d4rktg-1.2.7-py3-none-any.whl"},{"hashes":{"sha256":"6b2752bd41042cebf83f206ef8403685fbe9362376a4f668a8834fb235c41294","md5":"fae35a3462d752a9923bda99f738becc","blake2b_256":"4bdfcb2242c503d0759d52f727a03aff56e77fd3c5f31d02738d5ba5da983d3e"},"filename":"d4rktg-1.2.7.tar.gz"}],"evidence_files":[{"tlsh":"bb51bc029d8e703109728eceecaaa013f63c4647699e1125fdbc42797f754e8c7b4a69","path":"d4rk/Utils/_filters.py","sha256":"e114c93fbfdd3c549ba56d08e2c98d90479875eacf8248a7e5256f8abeceb4e7"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/d4rktg/MAL-2026-3688.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}