{"id":"MAL-2026-1544","summary":"Malicious code in rowrap (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (606ce541a3ef4a98e4e1639e96c6431e7ec83be6f987c640a63c03991eae4f6e)\nThe package hides code to download and start malicious script containing malware, identified as adware. The triggering method seems to be PTH file, although it's not always present\n\n Given the time correlation, it's likely armored continuation of 2026-03-robloxapi-testy\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-rowrap\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n","modified":"2026-03-24T00:02:49.724620Z","published":"2026-03-18T06:42:54Z","database_specific":{"malicious-packages-origins":[{"id":"pypi/2026-03-rowrap/rowrap","versions":["1.0.0","1.0.1","1.0.2","1.0.4","1.0.8","1.0.9","1.1.0","1.1.1","1.1.2","1.1.3","1.1.5","1.1.6","1.1.8","1.20","1.21"],"source":"kam193","import_time":"2026-03-18T07:28:07.406687358Z","sha256":"606ce541a3ef4a98e4e1639e96c6431e7ec83be6f987c640a63c03991eae4f6e","modified_time":"2026-03-18T06:42:54.318349Z"},{"id":"pypi/2026-03-rowrap/rowrap","versions":["1.0.0","1.0.1","1.0.2","1.0.4","1.0.8","1.0.9","1.1.0","1.1.1","1.1.2","1.1.3","1.1.5","1.1.6","1.1.8","1.20","1.21"],"source":"kam193","import_time":"2026-03-23T23:45:18.695924096Z","sha256":"aa14a24775db29bdb8ff5f2e696e0499d404549e6e51f7b4b891973def89ce9f","modified_time":"2026-03-18T06:42:54.318349Z"}],"iocs":{"domains":["dark-resonance-459b.blammervale.workers.dev"],"urls":["https://dark-resonance-459b.blammervale.workers.dev/555.bat"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/7853783660953f032d117c78eb627fa7a22bdd828b161a58f2abc7405905bce2/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/rowrap"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/fa7d6114e0d7f164122f7080d19c83ffbfa8e2f3b56a9c7ba95bf5663f72b97c"}],"affected":[{"package":{"name":"rowrap","ecosystem":"PyPI","purl":"pkg:pypi/rowrap"},"versions":["1.0.0","1.0.1","1.0.2","1.0.4","1.0.8","1.0.9","1.1.0","1.1.1","1.1.2","1.1.3","1.1.5","1.1.6","1.1.8","1.20","1.21"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/rowrap/MAL-2026-1544.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}