MAL-2026-5334

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/spaysrbx/MAL-2026-5334.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5334
Published
2026-06-08T20:47:35Z
Modified
2026-06-11T02:31:32.019535549Z
Summary
Malicious code in spaysrbx (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d4bae51ef6cd61eb9bfc38ac2d8dd8ad1f38d22c4e55b8ccdfc53cd2ed94076f)

On import spaysdata, the package's __init__.py invokes main_entry() in spaysdata/main.py, which performs three attacker-benefit actions automatically: (1) reads %USERPROFILE%/AppData/Local/Roblox/LocalStorage/robloxcookies.dat, decrypts it via win32crypt.CryptUnprotectData, and POSTs the cleartext Roblox session cookies to a hardcoded Discord webhook (discord.com/api/webhooks/1513603677913616544/...); (2) enumerates Discord, Discord Canary, Lightcord, Chrome, Edge, Brave, Yandex, Opera, and Firefox profile directories, decrypts dQw4w9WgXcQ-encrypted tokens using DPAPI + AES-GCM, kills Discord.exe via taskkill, and POSTs each token plus user info to the same webhook; (3) copies the running file to %APPDATA%/MySystemUtility/ and writes HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyPythonAutostartApp to re-execute the stealer on each user login, with the console window hidden via ShowWindow(0). The package's advertised purpose (pyproject.toml description: "Library for working with DataStore in Roblox") is a cover story — no DataStore functionality exists in the source; only credential-theft and persistence code is shipped.

Source: kam193 (21c6a7c2bf656df8e570edbe60daa7af52e1e0df0eae906de41f47dcf6eb0ede)

The package exfiltrates Roblox cookies from the victim machine.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-spaysrbdata

Reasons (based on the campaign):

  • infostealer
Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "21c6a7c2bf656df8e570edbe60daa7af52e1e0df0eae906de41f47dcf6eb0ede",
            "id": "pypi/2026-06-spaysrbdata/spaysrbx",
            "import_time": "2026-06-08T21:15:24.070787965Z",
            "modified_time": "2026-06-08T20:47:35.604257Z",
            "versions": [
                "0.3.0"
            ],
            "source": "kam193"
        },
        {
            "versions": [
                "0.3.0"
            ],
            "id": "pypi/2026-06-spaysrbdata/spaysrbx",
            "import_time": "2026-06-09T10:41:59.935096659Z",
            "sha256": "e8ed2b72d0419496418ee74f0479cca2dc8027c6a290c7022d590fb6a57d5780",
            "modified_time": "2026-06-08T20:47:35.604257Z",
            "source": "kam193"
        },
        {
            "versions": [
                "0.3.0"
            ],
            "id": "IN-MAL-2026-005373",
            "modified_time": "2026-06-11T01:59:55Z",
            "sha256": "d4bae51ef6cd61eb9bfc38ac2d8dd8ad1f38d22c4e55b8ccdfc53cd2ed94076f",
            "import_time": "2026-06-11T02:24:28.507863786Z",
            "source": "amazon-inspector"
        }
    ],
    "iocs": {
        "urls": [
            "https://script.google.com/macros/s/AKfycbwa8sLEdsG_leFVecuc_dFrZ_h5JnZKrWxXWazK1T6DoKGAGG5OJ9rznwYXg2PS-h1d/exec",
            "https://discord.com/api/webhooks/1513807955340820602/-UbLOjMGWIop17hrvQ7XsrZkJBJaNlMTueX7xnsJ9hz6DKaBgSe_Ur2FIgSJMHlusBwx"
        ]
    }
}
References
Credits

Affected packages

PyPI / spaysrbx

Package

Affected ranges

Affected versions

0.*
0.3.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "239a724d7a0090bc1f6f418b63229fcb9c924e06e3fe21c5a3703528164177ad",
            "tlsh": "9b324342ec4a14169276924ca856ed08f72743ab757122033efca7a83f75075e3b91fe",
            "path": "spaysdata/main.py"
        },
        {
            "tlsh": "05f09972d8796c309174704692508a08faa1717a36d400fa32daa1ed15ab350cbaca3c",
            "sha256": "acc5ba6b0abf6f7f54f17734e5cae45f977af77b1ba7129dbf3de0795a740720",
            "path": "pyproject.toml"
        }
    ],
    "package_integrity": [
        {
            "filename": "spaysrbx-0.3.0-py3-none-any.whl",
            "hashes": {
                "md5": "0cf977203be222673fc5e20dfd0c2284",
                "sha256": "fd923244caf6036cd7965ec923be04741aa27bfd8aab209176bce6ffb29b1bee",
                "blake2b_256": "8a1419e3676989072f00b8f2d636bdba85deb63f8f9dc2639808597d3d9a1a13"
            }
        },
        {
            "filename": "spaysrbx-0.3.0.tar.gz",
            "hashes": {
                "md5": "44a52121708fd7bffb39cf7fbc5ea82b",
                "sha256": "9df45795201f67adad35b998ce9b620e767c951d01107c8f3f604214d5620d29",
                "blake2b_256": "50adb7917411af08059a061ed9a75b3c6a7e70eab0b1f0280c3a9d8de437f5a2"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/spaysrbx/MAL-2026-5334.json"