MAL-2026-2122
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/rowrapee/MAL-2026-2122.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2122
- Published
- 2026-03-23T23:17:18Z
- Modified
- 2026-03-24T00:47:10.131244Z
- Summary
- Malicious code in rowrapee (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (398cfbdac2d3602a5c9836408942993c3f2bbcda911184825f01cf9937fb035e)
The package hides code to download and start malicious script containing malware, identified as adware. The triggering method seems to be PTH file, although it's not always present
Given the time correlation, it's likely armored continuation of 2026-03-robloxapi-testy
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-03-rowrap
Reasons (based on the campaign):
Downloads and executes a remote malicious script.
malware
- Database specific
{ "iocs": { "domains": [ "dark-resonance-459b.blammervale.workers.dev", "dry-hall-8967.blammervale.workers.dev" ], "urls": [ "https://dark-resonance-459b.blammervale.workers.dev/555.bat", "https://dry-hall-8967.blammervale.workers.dev/HHH.exe" ] }, "malicious-packages-origins": [ { "versions": [ "1.21", "1.22" ], "sha256": "398cfbdac2d3602a5c9836408942993c3f2bbcda911184825f01cf9937fb035e", "id": "pypi/2026-03-rowrap/rowrapee", "import_time": "2026-03-23T23:45:18.696556125Z", "modified_time": "2026-03-23T23:17:18.087654Z", "source": "kam193" }, { "versions": [ "1.21", "1.22" ], "sha256": "d10d05b75c1cd832c14ae533bd625e9d637916e38bea3bd9a589c70cd377aae1", "id": "pypi/2026-03-rowrap/rowrapee", "import_time": "2026-03-24T00:32:02.05900229Z", "modified_time": "2026-03-23T23:17:18.087654Z", "source": "kam193" } ] }- References
- Credits
-
-
- Kamil Mańkowski (kam193) - ANALYST
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / rowrapee
Package
- Name
- rowrapee
- View open source insights on deps.dev
- Purl
- pkg:pypi/rowrapee