MAL-2026-3688

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/d4rktg/MAL-2026-3688.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3688
Published
2026-05-13T05:33:46Z
Modified
2026-05-13T20:22:39.153272Z
Summary
Malicious code in d4rktg (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3348d9f4bb35442b1de902c35ca46292f9336a8f83ac8deb7e870b2cd6af9019)

The library's sole authorization primitive, CustomFilters.authorize() in d4rk/Utils/filters.py, OR's the installer-supplied ownerid and sudo_users list with a hardcoded Telegram user ID 7859877609 (lines 48-53). Any developer who installs this package to build a Telegram bot and uses the library's advertised authorize() filter to gate owner/admin commands silently grants Telegram account 7859877609 the same privileges as the bot's declared owner — including whatever privileged actions the bot exposes (admin commands, sudo commands, shell-style handlers common in Telegram bot frameworks). The bypass is not documented, cannot be disabled through configuration, and is reachable through normal use of the library's public API. This is a hidden persistent-access backdoor against the installer's deployed bot, not author self-harm: the harm flows from the installer to an account under the package author's (or a third party's) control.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "3348d9f4bb35442b1de902c35ca46292f9336a8f83ac8deb7e870b2cd6af9019",
            "id": "IN-MAL-2026-002624",
            "source": "amazon-inspector",
            "import_time": "2026-05-13T20:11:02.997258114Z",
            "modified_time": "2026-05-13T05:33:46Z",
            "versions": [
                "1.2.7"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / d4rktg

Package

Affected ranges

Affected versions

1.*
1.2.7

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "d4rk/Utils/_filters.py",
            "tlsh": "bb51bc029d8e703109728eceecaaa013f63c4647699e1125fdbc42797f754e8c7b4a69",
            "sha256": "e114c93fbfdd3c549ba56d08e2c98d90479875eacf8248a7e5256f8abeceb4e7"
        }
    ],
    "package_integrity": [
        {
            "filename": "d4rktg-1.2.7-py3-none-any.whl",
            "hashes": {
                "md5": "303a194bd545221a822538ff5d414222",
                "blake2b_256": "210c03bc7fddc03bce10cc68b537751ec29a46f6f4585e2f3623abedac9c48ee",
                "sha256": "ef1ff0ae0167416aebf4b7dde819f6e2b84c07b8140c25f4921fe98adcea4118"
            }
        },
        {
            "filename": "d4rktg-1.2.7.tar.gz",
            "hashes": {
                "md5": "fae35a3462d752a9923bda99f738becc",
                "blake2b_256": "4bdfcb2242c503d0759d52f727a03aff56e77fd3c5f31d02738d5ba5da983d3e",
                "sha256": "6b2752bd41042cebf83f206ef8403685fbe9362376a4f668a8834fb235c41294"
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/d4rktg/MAL-2026-3688.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]