MAL-2026-2489

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/databaserobooms/MAL-2026-2489.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2489
Published
2026-04-04T22:24:16Z
Modified
2026-05-28T05:01:10.158395413Z
Summary
Malicious code in databaserobooms (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (193ce4e29885d967183910228ce00d02b4380d25ff1a9b342b1fb5b4c124e3ca)

During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap.

The campaign is built over a malicious Roblox API wrapper. The roboat[.]pro (later robase[.]app) domain advertises a wrapper that is either directly malicious (as roboat collected in the campaign 2026-03-rowrap) or uses a malicious dependencies (like roboat-utils). New versions are published simultaneously with malicious dependencies and quickly removed. Another advertisement channel is https://github.com/Addi9000/roboat referencing two active contributors: https://github.com/Addi9000 and https://github.com/RoCruise

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-roboat-addition

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • Downloads and executes a remote executable.

  • The malicious code is intentionally included in a dependency of the package

  • malware

  • clones-real-package

Database specific 
{
    "iocs": {
        "urls": [
            "https://jolly-violet-def9.staraledreamer.workers.dev/DDDD.exe",
            "https://holy-sun-41ff.staraledreamer.workers.dev/gore.vbs",
            "https://github.com/betonme27/flies/releases/download/a/s22s.zhr",
            "https://dawn-thunder-f821.staraledreamer.workers.dev/gore.vbs",
            "https://green-shadow-38d7.aledreamsaledreams2.workers.dev/tree.vbs"
        ],
        "domains": [
            "jolly-violet-def9.staraledreamer.workers.dev",
            "holy-sun-41ff.staraledreamer.workers.dev"
        ]
    },
    "malicious-packages-origins": [
        {
            "import_time": "2026-04-04T22:45:36.62793286Z",
            "versions": [
                "0.0.4"
            ],
            "source": "kam193",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "sha256": "9e3502db82abb1282e39ba6341544f02c6ca4e07cd73f98dbcd51898369a8464"
        },
        {
            "source": "kam193",
            "versions": [
                "0.0.4"
            ],
            "import_time": "2026-04-05T09:18:40.863711439Z",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "sha256": "ac067fe2099d49262ebbbc063ebb3cd730162ab22bb29e4d859440ce3083a69d"
        },
        {
            "source": "kam193",
            "versions": [
                "0.0.4"
            ],
            "import_time": "2026-04-08T10:27:39.256727737Z",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "sha256": "d3a9edb57055b0de4e1aeb921ccf13df016aeea3badd9e353e59af74b76b4cd7"
        },
        {
            "import_time": "2026-04-10T21:47:38.8017779Z",
            "versions": [
                "0.0.4"
            ],
            "source": "kam193",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "sha256": "e67a7791e35bf0fe532905aea878907f76448b6486318c483079937f5dcf894e"
        },
        {
            "source": "kam193",
            "versions": [
                "0.0.4"
            ],
            "sha256": "e52ed78368fde99291f356a8269dc9defbe867086597a0d7a6718de5d24cc625",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "import_time": "2026-04-12T21:46:35.803599693Z"
        },
        {
            "source": "kam193",
            "versions": [
                "0.0.4"
            ],
            "sha256": "193ce4e29885d967183910228ce00d02b4380d25ff1a9b342b1fb5b4c124e3ca",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "import_time": "2026-04-12T22:12:37.180343968Z"
        },
        {
            "import_time": "2026-04-16T07:38:25.008636409Z",
            "versions": [
                "0.0.4"
            ],
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "source": "kam193",
            "sha256": "e6caef8c779eb9268bb3365c007d42745a88d012718041fd721f640e242293e4"
        },
        {
            "import_time": "2026-04-25T08:25:00.389958798Z",
            "versions": [
                "0.0.4"
            ],
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "source": "kam193",
            "sha256": "f313320055494c216962e7562bccbe9d21e877bf4e0aa0e2036bde62debfd760"
        },
        {
            "source": "kam193",
            "versions": [
                "0.0.4"
            ],
            "import_time": "2026-04-26T17:18:12.82219794Z",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "sha256": "78b26ef10832439928d76dfaafd1e617555671c8e45efd1d7dae38a7252f78cb"
        },
        {
            "import_time": "2026-04-27T21:50:25.214283267Z",
            "versions": [
                "0.0.4"
            ],
            "source": "kam193",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "sha256": "b127f75d129099781a1e4fcc7aa5c0a609f2d49403b3deb2f4540c895496fee7"
        },
        {
            "source": "kam193",
            "versions": [
                "0.0.4"
            ],
            "import_time": "2026-04-28T22:49:44.400054354Z",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "sha256": "b97612fa7335c6a018d840c4ac602b764ccce6e7430206dcdf578ca2af316150"
        },
        {
            "import_time": "2026-05-03T20:48:01.280314342Z",
            "versions": [
                "0.0.4"
            ],
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "source": "kam193",
            "sha256": "9cb690b024162c1ab3b7364fcdb445b6059ef9251fa1dacf3cd38057d7f23a8e"
        },
        {
            "import_time": "2026-05-28T04:57:09.767411972Z",
            "versions": [
                "0.0.4"
            ],
            "id": "pypi/2026-03-roboat-addition/databaserobooms",
            "modified_time": "2026-04-04T22:24:16.622818Z",
            "source": "kam193",
            "sha256": "196a7f00d2ff3f8cfc4cad3cb243dd34959a0ab6825efe262f4d107a59718d6d"
        }
    ]
}
References
Credits

Affected packages

PyPI / databaserobooms

Package

Name
databaserobooms
View open source insights on deps.dev
Purl
pkg:pypi/databaserobooms

Affected ranges

Affected versions

0.*
0.0.4

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/databaserobooms/MAL-2026-2489.json"