This is an advisory for a malicious package.

We recommend immediate removal of malicious versions of this package. Safety Firewall is actively blocking installation and will help you identify any existing installations of the package.

Learn more

PyPI: mcp-pdftool-plus

SFTY-20260129-57809

--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (2e92dea8be02288f271dacad2cd77f1bdd54596da1691cb738c4a7b7b4f77d21) When using the library, the hidden code starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-01-mcp-pdftool-plus Reasons (based on the campaign): - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine. - action-hidden-in-lib-usage

PyPI

Created at: Jan 29, 2026Updated at: Jan 29, 2026

Overview

Malicious code in mcp-pdftool-plus (PyPI)

Advisory

Malicious code in mcp-pdftool-plus (PyPI)

Affected Package

Affecting mcp-pdftool-plus package, versions

==0.1.3

==0.1.4

==0.1.5

Also affects

---

How to Fix

We recommend updating mcp-pdftool-plus to the latest non-vulnerable version.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

https://getsafety.com/vulnerabilities/SFTY-20260129-57809

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more