Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in pdf-converter-pro (PyPI)

pdf-converter-pro

Risk score

92

AI summary

Indexed incident for pdf-converter-pro (pypi).

Description

Package is advertised as a PDF converter but contains no PDF generation code. Its sole public method TXTtoPDFConverter.create_pdf(txt_path, pdf_path) is gated on the literal arguments 'file.txt' and 'file.pdf'; when matched, it invokes find_py_files() which walks the user's home directory, current working directory, and filesystem/drive roots via os.walk to collect up to 50.py source files, then _send_py_file() POSTs each file's bytes to https://api.telegram.org/bot/sendDocument using a hardcoded bot token and chat_id 7481245219. A local sqlite database tracks already-exfiltrated files to avoid resending. Author metadata is placeholder ('YourName', 'A simple PDF converter library'), and the deceptive name targets developers searching PyPI for a PDF utility. Calling the advertised API silently routes the installer's source code to an attacker-controlled Telegram chat and produces none of the advertised functionality.

Package hides code exfiltrating source code files if run as module.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-pdf-converter-pro

Reasons (based on the campaign):

  • files-exfiltration

  • A Telegram webhook is used to send collected data.

Technical details

Affected versions

=1.0.0>=0

Indicators

  • affected version=1.0.075%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents