{"id":"MAL-2026-6541","summary":"Malicious code in pdf-converter-pro (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0b3a5f6d1d39c20feca11d0129f0efa21bdf564586045555b756cc25bce73efc)\nPackage is advertised as a PDF converter but contains no PDF generation code. Its sole public method TXTtoPDFConverter.create_pdf(txt_path, pdf_path) is gated on the literal arguments 'file.txt' and 'file.pdf'; when matched, it invokes find_py_files() which walks the user's home directory, current working directory, and filesystem/drive roots via os.walk to collect up to 50.py source files, then _send_py_file() POSTs each file's bytes to https://api.telegram.org/bot\u003credacted\u003e/sendDocument using a hardcoded bot token and chat_id 7481245219. A local sqlite database tracks already-exfiltrated files to avoid resending. Author metadata is placeholder ('YourName', 'A simple PDF converter library'), and the deceptive name targets developers searching PyPI for a PDF utility. Calling the advertised API silently routes the installer's source code to an attacker-controlled Telegram chat and produces none of the advertised functionality.\n\n## Source: kam193 (5978e6d195a6e1aed1e705347db44516aca76c3a6e40ef1f47fb83087588ee16)\nPackage hides code exfiltrating source code files if run as module.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-pdf-converter-pro\n\n\nReasons (based on the campaign):\n\n\n - files-exfiltration\n\n\n - A Telegram webhook is used to send collected data.\n","modified":"2026-06-29T07:16:43.087229551Z","published":"2026-06-26T20:35:30Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"import_time":"2026-06-26T21:34:04.24598071Z","source":"kam193","sha256":"5978e6d195a6e1aed1e705347db44516aca76c3a6e40ef1f47fb83087588ee16","id":"pypi/2026-06-pdf-converter-pro/pdf-converter-pro","modified_time":"2026-06-26T20:35:30.274325Z"},{"versions":["1.0.0"],"import_time":"2026-06-29T07:09:10.674316077Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"amazon-inspector","sha256":"0b3a5f6d1d39c20feca11d0129f0efa21bdf564586045555b756cc25bce73efc","id":"IN-MAL-2026-007760","modified_time":"2026-06-29T05:52:27Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/pdf-converter-pro"},{"type":"PACKAGE","url":"https://pypi.org/project/pdf-converter-pro/1.0.0/"}],"affected":[{"package":{"name":"pdf-converter-pro","ecosystem":"PyPI","purl":"pkg:pypi/pdf-converter-pro"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"pdf_converter_pro/__init__.py","tlsh":"aad135955de12891d783c3690143b897230a3da36b0a443079fc6be45f449b46afaeed","sha256":"f299bf961b9a8952dcb12ecdae5cdb5c19bc22a03e5abc44632801c92a49f250"},{"path":"pdf_converter_pro-1.0.0.dist-info/METADATA","sha256":"cde8de932c7957c230b4e2fdc8312e8bde56dfea2e1c89365e8cc8ddcc561c6d","tlsh":"81d0a9643681a87677eb824c081d35b6d395818000dc2a86c4911ac2828b6de0bd6638"}],"package_integrity":[{"hashes":{"blake2b_256":"1151e7e7469d0daa4c1c88afe2e46f6479b1c7d0caa68f4d980464e2c12182ff","sha256":"6bb84b8973f9e4fa601f2815187ae638c48cd8e1324720c9f7049a463712ffa9","md5":"f85083f2ca0a1c765b0fcccad45a6039"},"filename":"pdf_converter_pro-1.0.0-py3-none-any.whl"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pdf-converter-pro/MAL-2026-6541.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}