Which versions of d4rktg are malicious?

The following PyPI versions of d4rktg are flagged malicious: 1.2.7. Treat any of these as compromised.

How do I remediate d4rktg if I installed it?

d4rktg establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

I already installed d4rktg — how do I know if it already compromised me?

If d4rktg was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is d4rktg part of a known attack campaign?

Yes — d4rktg is associated with the IN-MAL-2026-002624 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find d4rktg across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for d4rktg (version 1.2.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging d4rktg across your stack and pipelines.

Malicious package

d4rktgPyPI

Malicious code in d4rktg (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-3688

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall d4rktg

What this malware does

The library's sole authorization primitive, CustomFilters.authorize() in d4rk/Utils/_filters.py, OR's the installer-supplied owner_id and sudo_users list with a hardcoded Telegram user ID 7859877609 (lines 48-53). Any developer who installs this package to build a Telegram bot and uses the library's advertised authorize() filter to gate owner/admin commands silently grants Telegram account 7859877609 the same privileges as the bot's declared owner — including whatever privileged actions the bot exposes (admin commands, sudo commands, shell-style handlers common in Telegram bot frameworks). The bypass is not documented, cannot be disabled through configuration, and is reachable through normal use of the library's public API. This is a hidden persistent-access backdoor against the installer's deployed bot, not author self-harm: the harm flows from the installer to an account under the package author's (or a third party's) control.

Malicious versions

1 flagged

1.2.7

Indicators of compromise (SHA-256)

3348d9f4bb35442b1de902c35ca46292f9336a8f83ac8deb7e870b2cd6af9019

Detection & response playbook

Backdoor / remote access

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for d4rktg (version 1.2.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging d4rktg across your stack and pipelines.
If you installed it — respond
d4rktg establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If d4rktg was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks d4rktg before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. d4rktg on PyPI has been identified as a malicious package (version 1.2.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002624

References

pypi.org

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks d4rktg-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.

Malware detection Runtime egress monitoring