{"id":"MAL-2026-5334","summary":"Malicious code in spaysrbx (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d4bae51ef6cd61eb9bfc38ac2d8dd8ad1f38d22c4e55b8ccdfc53cd2ed94076f)\nOn `import spaysdata`, the package's `__init__.py` invokes `main_entry()` in `spaysdata/main.py`, which performs three attacker-benefit actions automatically: (1) reads `%USERPROFILE%/AppData/Local/Roblox/LocalStorage/robloxcookies.dat`, decrypts it via `win32crypt.CryptUnprotectData`, and POSTs the cleartext Roblox session cookies to a hardcoded Discord webhook (`discord.com/api/webhooks/1513603677913616544/...`); (2) enumerates Discord, Discord Canary, Lightcord, Chrome, Edge, Brave, Yandex, Opera, and Firefox profile directories, decrypts dQw4w9WgXcQ-encrypted tokens using DPAPI + AES-GCM, kills `Discord.exe` via `taskkill`, and POSTs each token plus user info to the same webhook; (3) copies the running file to `%APPDATA%/MySystemUtility/` and writes `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyPythonAutostartApp` to re-execute the stealer on each user login, with the console window hidden via `ShowWindow(0)`. The package's advertised purpose (`pyproject.toml` description: \"Library for working with DataStore in Roblox\") is a cover story — no DataStore functionality exists in the source; only credential-theft and persistence code is shipped.\n\n## Source: kam193 (21c6a7c2bf656df8e570edbe60daa7af52e1e0df0eae906de41f47dcf6eb0ede)\nThe package exfiltrates Roblox cookies from the victim machine.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-spaysrbdata\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n","modified":"2026-06-11T02:31:32.019535549Z","published":"2026-06-08T20:47:35Z","database_specific":{"iocs":{"urls":["https://script.google.com/macros/s/AKfycbwa8sLEdsG_leFVecuc_dFrZ_h5JnZKrWxXWazK1T6DoKGAGG5OJ9rznwYXg2PS-h1d/exec","https://discord.com/api/webhooks/1513807955340820602/-UbLOjMGWIop17hrvQ7XsrZkJBJaNlMTueX7xnsJ9hz6DKaBgSe_Ur2FIgSJMHlusBwx"]},"malicious-packages-origins":[{"id":"pypi/2026-06-spaysrbdata/spaysrbx","modified_time":"2026-06-08T20:47:35.604257Z","import_time":"2026-06-08T21:15:24.070787965Z","source":"kam193","versions":["0.3.0"],"sha256":"21c6a7c2bf656df8e570edbe60daa7af52e1e0df0eae906de41f47dcf6eb0ede"},{"id":"pypi/2026-06-spaysrbdata/spaysrbx","modified_time":"2026-06-08T20:47:35.604257Z","import_time":"2026-06-09T10:41:59.935096659Z","source":"kam193","sha256":"e8ed2b72d0419496418ee74f0479cca2dc8027c6a290c7022d590fb6a57d5780","versions":["0.3.0"]},{"import_time":"2026-06-11T02:24:28.507863786Z","modified_time":"2026-06-11T01:59:55Z","source":"amazon-inspector","id":"IN-MAL-2026-005373","sha256":"d4bae51ef6cd61eb9bfc38ac2d8dd8ad1f38d22c4e55b8ccdfc53cd2ed94076f","versions":["0.3.0"]}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/spaysrbx"},{"type":"PACKAGE","url":"https://pypi.org/project/spaysrbx/0.3.0/"}],"affected":[{"package":{"name":"spaysrbx","ecosystem":"PyPI","purl":"pkg:pypi/spaysrbx"},"versions":["0.3.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"md5":"0cf977203be222673fc5e20dfd0c2284","blake2b_256":"8a1419e3676989072f00b8f2d636bdba85deb63f8f9dc2639808597d3d9a1a13","sha256":"fd923244caf6036cd7965ec923be04741aa27bfd8aab209176bce6ffb29b1bee"},"filename":"spaysrbx-0.3.0-py3-none-any.whl"},{"hashes":{"md5":"44a52121708fd7bffb39cf7fbc5ea82b","blake2b_256":"50adb7917411af08059a061ed9a75b3c6a7e70eab0b1f0280c3a9d8de437f5a2","sha256":"9df45795201f67adad35b998ce9b620e767c951d01107c8f3f604214d5620d29"},"filename":"spaysrbx-0.3.0.tar.gz"}],"evidence_files":[{"sha256":"239a724d7a0090bc1f6f418b63229fcb9c924e06e3fe21c5a3703528164177ad","tlsh":"9b324342ec4a14169276924ca856ed08f72743ab757122033efca7a83f75075e3b91fe","path":"spaysdata/main.py"},{"sha256":"acc5ba6b0abf6f7f54f17734e5cae45f977af77b1ba7129dbf3de0795a740720","tlsh":"05f09972d8796c309174704692508a08faa1717a36d400fa32daa1ed15ab350cbaca3c","path":"pyproject.toml"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/spaysrbx/MAL-2026-5334.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}