{"id":"MAL-2026-4859","summary":"Malicious code in telethon-pro-safe (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (8bc2e515c2eb7bf73ea5d532cfb6701dcaf3dd95e9d8248ee3d426b1d0c1ed8c)\nDuring installation, package executes obfuscated code that starts a RAT-like software allowing remote control and exfiltrating sensitive data.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-telethon-pro-safe\n\n\nReasons (based on the campaign):\n\n\n - rat\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - exfiltration-credentials\n\n\n - exfiltration-browser-data\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n\n\n - The package contains code to detect if it is running in a sandbox environment.\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - infostealer\n\n\n - obfuscation\n","modified":"2026-05-28T21:30:57.022971072Z","published":"2026-05-28T17:50:39Z","database_specific":{"malicious-packages-origins":[{"sha256":"8bc2e515c2eb7bf73ea5d532cfb6701dcaf3dd95e9d8248ee3d426b1d0c1ed8c","import_time":"2026-05-28T19:25:24.080697697Z","id":"pypi/2026-05-telethon-pro-safe/telethon-pro-safe","versions":["3.0.0","3.0.1","3.0.2","3.0.3","3.0.4"],"modified_time":"2026-05-28T17:50:39.568931Z","source":"kam193"},{"sha256":"547838db16ca725408f22270caf4e4e1517d67c7b362784921367678ead4bd51","versions":["3.0.0","3.0.1","3.0.2","3.0.3","3.0.4"],"id":"pypi/2026-05-telethon-pro-safe/telethon-pro-safe","modified_time":"2026-05-28T17:50:39.568931Z","import_time":"2026-05-28T21:15:43.330573907Z","source":"kam193"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/telethon-pro-safe"}],"affected":[{"package":{"name":"telethon-pro-safe","ecosystem":"PyPI","purl":"pkg:pypi/telethon-pro-safe"},"versions":["3.0.0","3.0.1","3.0.2","3.0.3","3.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/telethon-pro-safe/MAL-2026-4859.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}