OSV ID
MAL-2026-3688
Ecosystem
pypi
Summary
The library's sole authorization primitive, CustomFilters.authorize() in d4rk/Utils/_filters.py, OR's the installer-supplied owner_id and sudo_users list with a hardcoded Telegram user ID 7859877609 (lines 48-53). Any developer who installs this package to build a Telegram bot and uses the library's advertised authorize() filter to gate owner/admin commands silently grants Telegram account 7859877609 the same privileges as the bot's declared owner — including whatever privileged actions the bot exposes (admin commands, sudo commands, shell-style handlers common in Telegram bot frameworks). The bypass is not documented, cannot be disabled through configuration, and is reachable through normal use of the library's public API. This is a hidden persistent-access backdoor against the installer's deployed bot, not author self-harm: the harm flows from the installer to an account under the package author's (or a third party's) control.
Source: amazon-inspector (3348d9f4bb35442b1de902c35ca46292f9336a8f83ac8deb7e870b2cd6af9019)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.