Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in tdata-grabber (PyPI)

tdata-grabber

Risk score

92

AI summary

Indexed incident for tdata-grabber (pypi).

Description

Package name explicitly declares its purpose as harvesting Telegram Desktop session data (tdata directory). The tdata folder contains live authenticated Telegram session keys; collecting and exfiltrating it enables full account takeover of the installer's Telegram account by whoever receives the data. Automated tracing of the package contents engaged but its output was withheld by the provider's malware-content safety filter — a signal consistent with the file contents reading as operational session-stealer code. Combined with the self-declared purpose in the package name, the package fits the messaging-session-theft fingerprint (active-attack) rather than any legitimate library shape.

Package exfiltrates data from the Telegram application to a remote location, effectively collecting Telegram sessions.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-telegramlite

Reasons (based on the campaign):

  • target:telegram

  • files-exfiltration

Technical details

Affected versions

=1.0.0>=0

Indicators

  • affected version=1.0.075%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents