MAL-2026-6560
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tdata-grabber/MAL-2026-6560.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6560
- Published
- 2026-06-28T16:55:16Z
- Modified
- 2026-06-29T07:16:43.276493976Z
- Summary
- Malicious code in tdata-grabber (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9b4c3b37df5e3d08d7bc6ad736e0231ed0dc655640ffdf0dc403f4029ace2787)
Package name explicitly declares its purpose as harvesting Telegram Desktop session data (tdata directory). The tdata folder contains live authenticated Telegram session keys; collecting and exfiltrating it enables full account takeover of the installer's Telegram account by whoever receives the data. Automated tracing of the package contents engaged but its output was withheld by the provider's malware-content safety filter — a signal consistent with the file contents reading as operational session-stealer code. Combined with the self-declared purpose in the package name, the package fits the messaging-session-theft fingerprint (active-attack) rather than any legitimate library shape.
Source: kam193 (6aa5184e991d29d6a751e13971ce2ce6a1cec834f675a1c3dd5eb0fc2ec75762)
Package exfiltrates data from the Telegram application to a remote location, effectively collecting Telegram sessions.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-telegramlite
Reasons (based on the campaign):
target:telegram
files-exfiltration
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-06-28T17:32:44.363774571Z", "source": "kam193", "modified_time": "2026-06-28T16:55:16.600195Z", "id": "pypi/2026-06-telegramlite/tdata-grabber", "versions": [ "1.0.0" ], "sha256": "6aa5184e991d29d6a751e13971ce2ce6a1cec834f675a1c3dd5eb0fc2ec75762" }, { "import_time": "2026-06-29T07:09:11.357679709Z", "id": "IN-MAL-2026-007770", "source": "amazon-inspector", "modified_time": "2026-06-29T06:47:08Z", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ], "versions": [ "1.0.0" ], "sha256": "9b4c3b37df5e3d08d7bc6ad736e0231ed0dc655640ffdf0dc403f4029ace2787" } ], "iocs": { "urls": [ "https://telegram-full-server.onrender.com/api/upload" ], "domains": [ "telegram-full-server.onrender.com" ] } }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / tdata-grabber
Package
- Name
- tdata-grabber
- View open source insights on deps.dev
- Purl
- pkg:pypi/tdata-grabber
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tdata-grabber/MAL-2026-6560.json"
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "tdata_grabber-1.0.0-py3-none-any.whl",
"hashes": {
"md5": "9db230ad710bdc65243a3249188a11b5",
"sha256": "14a5bd78727f09fbcceb9fd67a040db8de5d9a594c005db51b1604065ced16cb",
"blake2b_256": "071d774f1ea01d433c01ab18d2c1d750c96644bbfebb9774d39f5914f93bc8d3"
}
},
{
"filename": "tdata_grabber-1.0.0.tar.gz",
"hashes": {
"md5": "f37bcb72b6ce45d02b5958be0332eb9c",
"sha256": "ef814bde8e8d36fbd9e165a595ee1eb7e5f7b71dac67f7868ac66787fe03cc79",
"blake2b_256": "4ee51edc40e31c616ed9cdf5a65c03db2144cb2a01a910671c7c788f38891c7b"
}
}
]
}