MAL-2026-1544

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/rowrap/MAL-2026-1544.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-1544

Published

2026-03-18T06:42:54Z

Modified

2026-03-24T00:02:49.724620Z

Summary

Malicious code in rowrap (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (606ce541a3ef4a98e4e1639e96c6431e7ec83be6f987c640a63c03991eae4f6e)

The package hides code to download and start malicious script containing malware, identified as adware. The triggering method seems to be PTH file, although it's not always present

Given the time correlation, it's likely armored continuation of 2026-03-robloxapi-testy

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-rowrap

Reasons (based on the campaign):

Downloads and executes a remote malicious script.
malware

Database specific

{
    "iocs": {
        "urls": [
            "https://dark-resonance-459b.blammervale.workers.dev/555.bat"
        ],
        "domains": [
            "dark-resonance-459b.blammervale.workers.dev"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-03-rowrap/rowrap",
            "import_time": "2026-03-18T07:28:07.406687358Z",
            "sha256": "606ce541a3ef4a98e4e1639e96c6431e7ec83be6f987c640a63c03991eae4f6e",
            "source": "kam193",
            "modified_time": "2026-03-18T06:42:54.318349Z",
            "versions": [
                "1.0.0",
                "1.0.1",
                "1.0.2",
                "1.0.4",
                "1.0.8",
                "1.0.9",
                "1.1.0",
                "1.1.1",
                "1.1.2",
                "1.1.3",
                "1.1.5",
                "1.1.6",
                "1.1.8",
                "1.20",
                "1.21"
            ]
        },
        {
            "id": "pypi/2026-03-rowrap/rowrap",
            "import_time": "2026-03-23T23:45:18.695924096Z",
            "sha256": "aa14a24775db29bdb8ff5f2e696e0499d404549e6e51f7b4b891973def89ce9f",
            "source": "kam193",
            "modified_time": "2026-03-18T06:42:54.318349Z",
            "versions": [
                "1.0.0",
                "1.0.1",
                "1.0.2",
                "1.0.4",
                "1.0.8",
                "1.0.9",
                "1.1.0",
                "1.1.1",
                "1.1.2",
                "1.1.3",
                "1.1.5",
                "1.1.6",
                "1.1.8",
                "1.20",
                "1.21"
            ]
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / rowrap

Package

Name: rowrap; View open source insights on deps.dev
Purl: pkg:pypi/rowrap

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.4

1.0.8

1.0.9

1.1.0

1.1.1

1.1.2

1.1.3

1.1.5

1.1.6

1.1.8

1.20

1.21

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/rowrap/MAL-2026-1544.json"