-= Per source details. Do not edit below this line.=-
During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap.
The campaign is built over a malicious Roblox API wrapper. The roboat[.]pro (later robase[.]app) domain advertises a wrapper that is either directly malicious (as roboat collected in the campaign 2026-03-rowrap) or uses a malicious dependencies (like roboat-utils). New versions are published simultaneously with malicious dependencies and quickly removed. Another advertisement channel is https://github.com/Addi9000/roboat referencing two active contributors: https://github.com/Addi9000 and https://github.com/RoCruise
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-03-roboat-addition
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
Downloads and executes a remote executable.
The malicious code is intentionally included in a dependency of the package
malware
clones-real-package
{
"malicious-packages-origins": [
{
"versions": [
"0.0.1"
],
"sha256": "5227c1d7a79a1dcce9aae113c60aa92087e3ebd9bcf6696589c53c3ab1edf572",
"source": "kam193",
"modified_time": "2026-03-29T20:12:49.187045Z",
"import_time": "2026-03-29T20:46:34.585762128Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "29455dd419aa46a57b75cee86f6dd0fda6e194a3d875bbd54c879fe24c8e6be2",
"source": "kam193",
"modified_time": "2026-03-29T23:01:20.450297Z",
"import_time": "2026-03-29T23:46:00.35567975Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "1ba410c4503ae9b5b92483f291513a30cb8e18b4e5b164e1848e01a9467e90a2",
"source": "kam193",
"modified_time": "2026-03-29T23:01:20.450297Z",
"import_time": "2026-04-04T22:45:36.626262685Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "f1443616eb0b9a85e280accc30a1d86cdd945f16bc7906847e65242e7a7dfef7",
"source": "kam193",
"modified_time": "2026-03-29T23:01:20.450297Z",
"import_time": "2026-04-05T09:18:40.862291041Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "a42a5c4b6eae0027e2c26421c882d5739702cc0b323e19af2c8ee37d012c527a",
"modified_time": "2026-03-29T23:01:20.450297Z",
"source": "kam193",
"import_time": "2026-04-08T10:27:39.255270114Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "d12f3d05a2d825961a712c938598b76138997193e40531548ac6ce2b28184689",
"modified_time": "2026-03-29T23:01:20.450297Z",
"source": "kam193",
"import_time": "2026-04-10T21:47:38.799797814Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "aa6fc51ce98a554b0adacdbc69de2796b13f41519e806aa331855b54a4ed4ba1",
"source": "kam193",
"modified_time": "2026-03-29T23:01:20.450297Z",
"import_time": "2026-04-12T21:46:35.801598081Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "3c3d5d00b97ea534e5873e4b0aecaa2895fcc25dfca987d487dcc2510cf14f3a",
"modified_time": "2026-03-29T23:01:20.450297Z",
"source": "kam193",
"id": "pypi/2026-03-roboat-addition/databaseroboat",
"import_time": "2026-04-12T22:12:37.178255984Z"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "78cb99eb2eb5a03d3519798ac1c5f9bc3a25172172ee8d364b5079edab22d92b",
"source": "kam193",
"modified_time": "2026-03-29T23:01:20.450297Z",
"import_time": "2026-04-16T07:38:25.006491155Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "f791518a5811c741eea54f23202e5e95b2d7e3ca7c9ced0fa0fd8ec2afd3ccd5",
"modified_time": "2026-03-29T23:01:20.450297Z",
"source": "kam193",
"import_time": "2026-04-25T08:25:00.388009007Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "9930640c2182c34ab71c92c2d05e791f15a03bc73513ffe292e13db07854d016",
"source": "kam193",
"modified_time": "2026-03-29T23:01:20.450297Z",
"import_time": "2026-04-26T17:18:12.819796287Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "62d522c54ec749bd7872d786c063b7dd002e3ca6f866a2796edffdc6483de135",
"modified_time": "2026-03-29T23:01:20.450297Z",
"source": "kam193",
"import_time": "2026-04-27T21:50:25.211933586Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "fc43498746eb0334c9008567624bf03bde70561675fdddd67d175917354e27d0",
"modified_time": "2026-03-29T23:01:20.450297Z",
"source": "kam193",
"import_time": "2026-04-28T22:49:44.39784284Z",
"id": "pypi/2026-03-roboat-addition/databaseroboat"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "5acf7e5025d618897bd07b8c2fd19234c35287ce54e8c195c8b8b1bdbb3345b3",
"modified_time": "2026-03-29T23:01:20.450297Z",
"source": "kam193",
"id": "pypi/2026-03-roboat-addition/databaseroboat",
"import_time": "2026-05-03T20:48:01.278081063Z"
},
{
"versions": [
"0.0.1",
"0.0.2"
],
"sha256": "2d41879b8aa9964477f1055038ad155029dd0d279d1d0011d3548181c1066277",
"modified_time": "2026-03-29T23:01:20.450297Z",
"source": "kam193",
"id": "pypi/2026-03-roboat-addition/databaseroboat",
"import_time": "2026-05-28T04:57:09.764779078Z"
}
],
"iocs": {
"urls": [
"https://jolly-violet-def9.staraledreamer.workers.dev/DDDD.exe",
"https://holy-sun-41ff.staraledreamer.workers.dev/gore.vbs",
"https://github.com/betonme27/flies/releases/download/a/s22s.zhr",
"https://dawn-thunder-f821.staraledreamer.workers.dev/gore.vbs"
],
"domains": [
"jolly-violet-def9.staraledreamer.workers.dev",
"holy-sun-41ff.staraledreamer.workers.dev"
]
}
}