Introduction In today’s digital era, security breaches can occur in the blink of an eye. Telegram Desktop is renowned for its secure, user-friendly messaging interface, but what if the data used to provide seamless experience could also be your greatest problem? Our investigation into three seemingly harmless PyPI color packages revealed a hidden background functionality that steals the Telegram Desktop tdata folder. With this folder in hand, an attacker doesn't need to bypass passwords or two-factor authentication, they simply steal your session and gain unlimited access to your entire Telegram account. The Packages: Quicolor, QuickColors, and ColorYi All these packages are cases of typo squatting on the legitimate quickcolor package, using similar names to mislead users while concealing malicious functionality. At first glance, Quicolor, QuickColors, and ColorYi appear to serve the same purpose: Legitimate Functionality: All three packages offer an easy-to-use API for applying ANSI color codes to strings. They provide convenience functions like red(), green(), blue(), and even composite functions like rainbow() that color each character differently. Ease of Integration: Designed to be imported and used with minimal configuration, these libraries aim to help developers produce colorful output with just a few lines of code. Despite their useful features, a closer inspection of their source code reveals unexpected behavior. Unmasking the Hidden Background Functionality…Read More