MAL-2026-2295

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/databaseroboat/MAL-2026-2295.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2295
Published
2026-03-29T20:12:48Z
Modified
2026-05-28T05:01:10.151189668Z
Summary
Malicious code in databaseroboat (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (3c3d5d00b97ea534e5873e4b0aecaa2895fcc25dfca987d487dcc2510cf14f3a)

During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap.

The campaign is built over a malicious Roblox API wrapper. The roboat[.]pro (later robase[.]app) domain advertises a wrapper that is either directly malicious (as roboat collected in the campaign 2026-03-rowrap) or uses a malicious dependencies (like roboat-utils). New versions are published simultaneously with malicious dependencies and quickly removed. Another advertisement channel is https://github.com/Addi9000/roboat referencing two active contributors: https://github.com/Addi9000 and https://github.com/RoCruise


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-roboat-addition

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • Downloads and executes a remote executable.

  • The malicious code is intentionally included in a dependency of the package

  • malware

  • clones-real-package

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.0.1"
            ],
            "sha256": "5227c1d7a79a1dcce9aae113c60aa92087e3ebd9bcf6696589c53c3ab1edf572",
            "source": "kam193",
            "modified_time": "2026-03-29T20:12:49.187045Z",
            "import_time": "2026-03-29T20:46:34.585762128Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "29455dd419aa46a57b75cee86f6dd0fda6e194a3d875bbd54c879fe24c8e6be2",
            "source": "kam193",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "import_time": "2026-03-29T23:46:00.35567975Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "1ba410c4503ae9b5b92483f291513a30cb8e18b4e5b164e1848e01a9467e90a2",
            "source": "kam193",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "import_time": "2026-04-04T22:45:36.626262685Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "f1443616eb0b9a85e280accc30a1d86cdd945f16bc7906847e65242e7a7dfef7",
            "source": "kam193",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "import_time": "2026-04-05T09:18:40.862291041Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "a42a5c4b6eae0027e2c26421c882d5739702cc0b323e19af2c8ee37d012c527a",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "source": "kam193",
            "import_time": "2026-04-08T10:27:39.255270114Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "d12f3d05a2d825961a712c938598b76138997193e40531548ac6ce2b28184689",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "source": "kam193",
            "import_time": "2026-04-10T21:47:38.799797814Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "aa6fc51ce98a554b0adacdbc69de2796b13f41519e806aa331855b54a4ed4ba1",
            "source": "kam193",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "import_time": "2026-04-12T21:46:35.801598081Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "3c3d5d00b97ea534e5873e4b0aecaa2895fcc25dfca987d487dcc2510cf14f3a",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "source": "kam193",
            "id": "pypi/2026-03-roboat-addition/databaseroboat",
            "import_time": "2026-04-12T22:12:37.178255984Z"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "78cb99eb2eb5a03d3519798ac1c5f9bc3a25172172ee8d364b5079edab22d92b",
            "source": "kam193",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "import_time": "2026-04-16T07:38:25.006491155Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "f791518a5811c741eea54f23202e5e95b2d7e3ca7c9ced0fa0fd8ec2afd3ccd5",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "source": "kam193",
            "import_time": "2026-04-25T08:25:00.388009007Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "9930640c2182c34ab71c92c2d05e791f15a03bc73513ffe292e13db07854d016",
            "source": "kam193",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "import_time": "2026-04-26T17:18:12.819796287Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "62d522c54ec749bd7872d786c063b7dd002e3ca6f866a2796edffdc6483de135",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "source": "kam193",
            "import_time": "2026-04-27T21:50:25.211933586Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "fc43498746eb0334c9008567624bf03bde70561675fdddd67d175917354e27d0",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "source": "kam193",
            "import_time": "2026-04-28T22:49:44.39784284Z",
            "id": "pypi/2026-03-roboat-addition/databaseroboat"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "5acf7e5025d618897bd07b8c2fd19234c35287ce54e8c195c8b8b1bdbb3345b3",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "source": "kam193",
            "id": "pypi/2026-03-roboat-addition/databaseroboat",
            "import_time": "2026-05-03T20:48:01.278081063Z"
        },
        {
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "sha256": "2d41879b8aa9964477f1055038ad155029dd0d279d1d0011d3548181c1066277",
            "modified_time": "2026-03-29T23:01:20.450297Z",
            "source": "kam193",
            "id": "pypi/2026-03-roboat-addition/databaseroboat",
            "import_time": "2026-05-28T04:57:09.764779078Z"
        }
    ],
    "iocs": {
        "urls": [
            "https://jolly-violet-def9.staraledreamer.workers.dev/DDDD.exe",
            "https://holy-sun-41ff.staraledreamer.workers.dev/gore.vbs",
            "https://github.com/betonme27/flies/releases/download/a/s22s.zhr",
            "https://dawn-thunder-f821.staraledreamer.workers.dev/gore.vbs"
        ],
        "domains": [
            "jolly-violet-def9.staraledreamer.workers.dev",
            "holy-sun-41ff.staraledreamer.workers.dev"
        ]
    }
}
References
Credits

Affected packages

PyPI / databaseroboat

Package

Affected ranges

Affected versions

0.*
0.0.1
0.0.2

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/databaseroboat/MAL-2026-2295.json"