The 'pdf-converter-pro' package on PyPI (version 1.0.0) is a malicious package designed to steal source code files from users. Its public method TXTtoPDFConverter.create_pdf(txt_path, pdf_path) only activates when called with the exact arguments 'file.txt' and 'file.pdf'. Upon activation, it recursively collects up to 50 Python source files from the user's home directory, current working directory, and filesystem roots, then exfiltrates these files by POSTing their contents to a Telegram bot API endpoint using a hardcoded bot token and chat ID. The package maintains a local SQLite database to track files already sent, preventing repeated exfiltration. The author metadata is fake, and the package does not perform any PDF conversion as advertised, instead serving as an infostealer targeting developers searching for PDF utilities on PyPI.

Users who install and invoke this package with the specified arguments risk having their Python source code files exfiltrated to an attacker-controlled Telegram chat. This can lead to unauthorized disclosure of proprietary or sensitive code, potentially exposing intellectual property or credentials embedded in source files. The package does not perform its advertised function, resulting in both data loss and functional deception.

No official patch or remediation is available for this malicious package. The best mitigation is to avoid installing or using 'pdf-converter-pro' version 1.0.0 from PyPI. Users should verify package authenticity and prefer well-known, trusted libraries. If the package is installed, remove it immediately and audit systems for unauthorized data exfiltration. Since this is a malicious package rather than a vulnerability in legitimate software, remediation involves avoiding or uninstalling the package rather than patching.