MAL-2026-5329

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/spaysdatarbx/MAL-2026-5329.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5329
Published
2026-06-08T13:43:18Z
Modified
2026-06-11T04:01:30.758149524Z
Summary
Malicious code in spaysdatarbx (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1bcaa4bf6f81efed82d35081ec059dfcd2f55e50b84f28d8b0ad4d8afe63089f)

spaysdatarbx is a Windows infostealer disguised as a Roblox DataStore library. On import spaysdata, init.py invokes main_entry() (wrapped in try/except: pass to stay silent), which performs three malicious actions: (1) reads %USERPROFILE%/AppData/Local/Roblox/LocalStorage/robloxcookies.dat, DPAPI-decrypts it, and POSTs the plaintext Roblox session cookie to a hardcoded Discord webhook (https://discord.com/api/webhooks/1499336276762038292/...); (2) walks Discord, Chrome, Edge, Brave, Opera, Yandex, and Firefox profile directories, force-kills Discord with taskkill /f /im Discord.exe to release leveldb locks, AES-GCM-decrypts auth tokens with each browser's DPAPI master key, and POSTs every recovered token to the same webhook; (3) establishes persistence by copying itself to %APPDATA%\MySystemUtility\ and writing an HKCU...\Run\MyPythonAutostartApp registry value that re-launches the stealer at every login, hiding the console window via ShowWindow(GetConsoleWindow(), 0). The package's advertised purpose ('Библиотека для работы с DataStore в Roblox') is a decoy — no DataStore functionality exists in main.py, only the stealer. Any developer who installs and imports this package has their Roblox session and all browser-stored Discord tokens sent to the attacker, plus a persistent autostart entry for ongoing theft.

Source: kam193 (31b0b97326861aabb747f26e130a5dbda5ac78100fafbb3a3327b1981119e3a6)

The package exfiltrates Roblox cookies from the victim machine.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-spaysrbdata

Reasons (based on the campaign):

  • infostealer
Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "31b0b97326861aabb747f26e130a5dbda5ac78100fafbb3a3327b1981119e3a6",
            "source": "kam193",
            "import_time": "2026-06-08T15:12:45.407175189Z",
            "id": "pypi/2026-06-spaysrbdata/spaysdatarbx",
            "versions": [
                "0.1.3",
                "0.1.5"
            ],
            "modified_time": "2026-06-08T13:43:18.338578Z"
        },
        {
            "sha256": "ddffc9e3413a0002eb53a77c72679297563add6c776b89475e9e0bb83d516d49",
            "source": "kam193",
            "import_time": "2026-06-09T10:41:59.933480846Z",
            "id": "pypi/2026-06-spaysrbdata/spaysdatarbx",
            "versions": [
                "0.1.3",
                "0.1.5"
            ],
            "modified_time": "2026-06-08T13:43:18.338578Z"
        },
        {
            "modified_time": "2026-06-11T02:54:32Z",
            "source": "amazon-inspector",
            "sha256": "1bcaa4bf6f81efed82d35081ec059dfcd2f55e50b84f28d8b0ad4d8afe63089f",
            "id": "IN-MAL-2026-005401",
            "versions": [
                "0.1.5"
            ],
            "import_time": "2026-06-11T03:48:46.730517847Z"
        },
        {
            "import_time": "2026-06-11T03:48:46.83398529Z",
            "source": "amazon-inspector",
            "sha256": "28acb1db885e57d4a1f6f5bcdfb316141626b89be210c550654266524d23acc7",
            "id": "IN-MAL-2026-005402",
            "versions": [
                "0.1.3"
            ],
            "modified_time": "2026-06-11T02:54:36Z"
        }
    ],
    "iocs": {
        "urls": [
            "https://script.google.com/macros/s/AKfycbwa8sLEdsG_leFVecuc_dFrZ_h5JnZKrWxXWazK1T6DoKGAGG5OJ9rznwYXg2PS-h1d/exec",
            "https://discord.com/api/webhooks/1513807955340820602/-UbLOjMGWIop17hrvQ7XsrZkJBJaNlMTueX7xnsJ9hz6DKaBgSe_Ur2FIgSJMHlusBwx"
        ]
    }
}
References
Credits

Affected packages

PyPI / spaysdatarbx

Package

Name
spaysdatarbx
View open source insights on deps.dev
Purl
pkg:pypi/spaysdatarbx

Affected ranges

Affected versions

0.*
0.1.3
0.1.5

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/spaysdatarbx/MAL-2026-5329.json"
cwes 
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators 
{
    "package_integrity": [
        {
            "filename": "spaysdatarbx-0.1.5-py3-none-any.whl",
            "hashes": {
                "md5": "a35057fc2aea54a3a7c41010ee6d86b9",
                "sha256": "d198fdb35f9a8e20a99134ff07827874795b9c59197cce7472192693be2a68cb",
                "blake2b_256": "b7b23361edab7b2256a2206a52c01b39dfdc0f808fe1390e98f3a8c1b38fe7fe"
            }
        },
        {
            "filename": "spaysdatarbx-0.1.5.tar.gz",
            "hashes": {
                "md5": "a5a9794be974348f8e67d6b0118eac4f",
                "sha256": "23016a21246d121e1e522308d2827515a01ce91d4ad007e4c7d8d60f8fa7bc54",
                "blake2b_256": "560694d1f8f5a76ebe810125e6e9b23f1b8d2d132b368fc424b71cc2ed520ab3"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "2a324342ec4a14169276925ca852ed08f72743ab757122033efca7a83f75035e3b91fe",
            "sha256": "77e2aaa0ecbba755c48dc5987789afbe7432d406d6db3b1d66d2615e1694db79",
            "path": "spaysdata/main.py"
        },
        {
            "tlsh": "a2e068a05b927430a2f899cf842c8b1aae6ae700649e04fae6845c6d12e3390467833c",
            "path": "PKG-INFO",
            "sha256": "ab5f0d915d70f36c0460833a78315361157da0381e0ebbfa204ee46476243fca"
        }
    ]
}