Supply-chain threat intelligence
Risk score
92
Indexed incident for pdf-converter-pro (pypi).
Package is advertised as a PDF converter but contains no PDF generation code. Its sole public method TXTtoPDFConverter.create_pdf(txt_path, pdf_path) is gated on the literal arguments 'file.txt' and 'file.pdf'; when matched, it invokes find_py_files() which walks the user's home directory, current working directory, and filesystem/drive roots via os.walk to collect up to 50.py source files, then _send_py_file() POSTs each file's bytes to https://api.telegram.org/bot/sendDocument using a hardcoded bot token and chat_id 7481245219. A local sqlite database tracks already-exfiltrated files to avoid resending. Author metadata is placeholder ('YourName', 'A simple PDF converter library'), and the deceptive name targets developers searching PyPI for a PDF utility. Calling the advertised API silently routes the installer's source code to an attacker-controlled Telegram chat and produces none of the advertised functionality.
Package hides code exfiltrating source code files if run as module.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-pdf-converter-pro
Reasons (based on the campaign):
files-exfiltration
A Telegram webhook is used to send collected data.
Affected versions
Indicators
Timeline