—

MAL-2026-4859

Malicious code in telethon-pro-safe (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: kam193 (8bc2e515c2eb7bf73ea5d532cfb6701dcaf3dd95e9d8248ee3d426b1d0c1ed8c) During installation, package executes obfuscated code that starts a RAT-like software allowing remote control and exfiltrating sensitive data.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-telethon-pro-safe

Reasons (based on the campaign):

- rat

- The package overrides the install command in setup.py to execute malicious code during installation.

- exfiltration-credentials

- exfiltration-browser-data

- The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

- The package contains code to detect if it is running in a sandbox environment.

- The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

- infostealer

- obfuscation

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / telethon-pro-safe

No fixed version published yet for telethon-pro-safe (pip). Pin to a known-safe version or switch to an alternative.

References

https://bad-packages.kam193.eu/pypi/package/telethon-pro-safe [WEB]