MAL-2026-2494

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/databasetapes/MAL-2026-2494.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2494
Published
2026-04-05T19:35:23Z
Modified
2026-05-28T05:01:08.607310924Z
Summary
Malicious code in databasetapes (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (d859d21aa59dfad2efc5c2f98253cd1cc808621fb3b7525037c104324e27dfe8)

During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap.

The campaign is built over a malicious Roblox API wrapper. The roboat[.]pro (later robase[.]app) domain advertises a wrapper that is either directly malicious (as roboat collected in the campaign 2026-03-rowrap) or uses a malicious dependencies (like roboat-utils). New versions are published simultaneously with malicious dependencies and quickly removed. Another advertisement channel is https://github.com/Addi9000/roboat referencing two active contributors: https://github.com/Addi9000 and https://github.com/RoCruise


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-roboat-addition

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • Downloads and executes a remote executable.

  • The malicious code is intentionally included in a dependency of the package

  • malware

  • clones-real-package

Database specific
{
    "iocs": {
        "domains": [
            "jolly-violet-def9.staraledreamer.workers.dev",
            "holy-sun-41ff.staraledreamer.workers.dev",
            "spring-math-9df3.aledreamsaledreams2.workers.dev"
        ],
        "urls": [
            "https://jolly-violet-def9.staraledreamer.workers.dev/DDDD.exe",
            "https://holy-sun-41ff.staraledreamer.workers.dev/gore.vbs",
            "https://github.com/betonme27/flies/releases/download/a/s22s.zhr",
            "https://dawn-thunder-f821.staraledreamer.workers.dev/gore.vbs",
            "https://green-shadow-38d7.aledreamsaledreams2.workers.dev/tree.vbs",
            "https://spring-math-9df3.aledreamsaledreams2.workers.dev/winre.bat"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "kam193",
            "sha256": "b80211cd83eadafb46b131727e00759d3766bc1e1d2c25d399ddc9150ecf32e1",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-04-05T19:45:11.066735984Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "404d8a348eab93d01fb25c7782536976b78123759077cf06cd939ddf6cba9bf8",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-04-08T10:27:39.258052956Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "c9f0aa6e7bc1dfc5b7942d45f87c1f69d8c0fa080e76964ea29372d9a380b8e0",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "import_time": "2026-04-10T21:47:38.803729684Z",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "512fe505678cab5ff24d49099ca6215c5f7679c2be26aa76dce90ad7cca667a3",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "import_time": "2026-04-12T21:46:35.807566953Z",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "d859d21aa59dfad2efc5c2f98253cd1cc808621fb3b7525037c104324e27dfe8",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-04-12T22:12:37.184351881Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "44fce440170ca8e8b90d8fdb75421d9be9c753218d0a7d2cb838d30ba15e901e",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-04-16T07:38:25.013058981Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "8c30e1b9bed2d235328a895cefb54920161d60ea32362b18e96b88e6371807fa",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-04-25T08:25:00.393510189Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "6f8ecbeae6ee8cb6c58135e4891b8fb054fe8ca712b28308ad5530b1b8459409",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-04-26T17:18:12.827165961Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "d477d1456dd4decf7cce673e1736d404a3a19bf45e7f7897f5fbdbd03ce58bc4",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-04-27T21:50:25.219867952Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "43339c3b604506e776dddf08eac0e5a125696a11d7f5ff8363ba733110ea18c2",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-04-28T22:49:44.405156134Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "1568296598ea7ee06cb5cc16ae5720a1f6aaa6c0cae6e66d77c9fb960b1814fc",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "import_time": "2026-05-03T20:48:01.284870115Z",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "versions": [
                "0.0.4"
            ]
        },
        {
            "source": "kam193",
            "sha256": "55d387c19ad2d102bd08070063219d97abfab9cfc9ccb323b6d6eba57f42559b",
            "id": "pypi/2026-03-roboat-addition/databasetapes",
            "import_time": "2026-05-28T04:57:09.771744898Z",
            "modified_time": "2026-04-05T19:35:23.445342Z",
            "versions": [
                "0.0.4"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / databasetapes

Package

Affected ranges

Affected versions

0.*
0.0.4

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/databasetapes/MAL-2026-2494.json"