Ingest OSV - Cloud Storage

github-actions · github-actions · commit c4ce22f70e22 · 2026-03-23T23:45:30.000Z
diff --git a/config/start-keys.yaml b/config/start-keys.yaml
@@ -1,7 +1,7 @@
 amazon-inspector:
     IN-MAL-: IN-MAL-2026-001146.json
 kam193:
-    pypi/packages/malicious/osv/: f385b4e03a38091523c41eca0e30b2ff3de36561
+    pypi/packages/malicious/osv/: f2c16f106f5cc22c712b1cc33478c3f08b07b0b2
     pypi/packages/pentest/osv/: 0d65fa30569acb74a4cd2f6968297f9cf794b510
     pypi/packages/probably_pentest/osv/: dbfe89897c1972febd30846186aef4b82af004cd
 ossf-package-analysis:
diff --git a/osv/malicious/pypi/logutilkit/MAL-0000-kam193-ac7ea80d57c3c34f.json b/osv/malicious/pypi/logutilkit/MAL-0000-kam193-ac7ea80d57c3c34f.json
@@ -0,0 +1,57 @@
+{
+  "modified": "2026-03-23T22:53:57Z",
+  "published": "2026-03-23T22:53:57Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in logutilkit (PyPI)",
+  "details": "Malicious clone of a legitimate package. When using it, the code attempts to download and execute remote code. In on of the incarnations, the malicious code was embeded in the strongly obfuscated file, which at least collected data from cryptowallets and password managers and exfiltrated them to a hardcoded remote location.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-license-utils-kit\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - obfuscation\n\n\n - crypto-related\n\n\n - action-hidden-in-lib-usage\n\n\n - exfiltration-credentials\n\n\n - clones-real-package\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "logutilkit"
+      },
+      "versions": [
+        "1.0.1"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/logutilkit"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "domains": [
+        "apachelicense.vercel.app"
+      ],
+      "ips": [
+        "66.45.225.94"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "ac7ea80d57c3c34f71f9245d7c01172c9f5dfb7a757274b58253df1c3dff24e7",
+        "import_time": "2026-03-23T23:45:18.693550378Z",
+        "id": "pypi/2026-03-license-utils-kit/logutilkit",
+        "modified_time": "2026-03-23T22:53:57.416367Z",
+        "versions": [
+          "1.0.1"
+        ]
+      }
+    ]
+  }
+}
diff --git a/osv/malicious/pypi/roboat/MAL-0000-kam193-f04db4869c9e9818.json b/osv/malicious/pypi/roboat/MAL-0000-kam193-f04db4869c9e9818.json
@@ -0,0 +1,73 @@
+{
+  "modified": "2026-03-23T23:09:44Z",
+  "published": "2026-03-23T23:09:44Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in roboat (PyPI)",
+  "details": "During installation, the code attempts to download and start malware.\n\nConnected with the campaign based on the time correlation and other packages published by the author.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-rowrap\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "roboat"
+      },
+      "versions": [
+        "0.0.1",
+        "1.1.0",
+        "2.0.0",
+        "2.1.0"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/7853783660953f032d117c78eb627fa7a22bdd828b161a58f2abc7405905bce2/detection"
+    },
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/fa7d6114e0d7f164122f7080d19c83ffbfa8e2f3b56a9c7ba95bf5663f72b97c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/roboat"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "domains": [
+        "dark-resonance-459b.blammervale.workers.dev",
+        "dry-hall-8967.blammervale.workers.dev"
+      ],
+      "urls": [
+        "https://dark-resonance-459b.blammervale.workers.dev/555.bat",
+        "https://dry-hall-8967.blammervale.workers.dev/HHH.exe"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "f04db4869c9e981873683b537f335c1f25c7c17c283315859699855a9c20816b",
+        "import_time": "2026-03-23T23:45:18.695034166Z",
+        "id": "pypi/2026-03-rowrap/roboat",
+        "modified_time": "2026-03-23T23:09:44.958346Z",
+        "versions": [
+          "0.0.1",
+          "1.1.0",
+          "2.0.0",
+          "2.1.0"
+        ]
+      }
+    ]
+  }
+}
diff --git a/osv/malicious/pypi/rowrap/MAL-0000-kam193-aa14a24775db29bd.json b/osv/malicious/pypi/rowrap/MAL-0000-kam193-aa14a24775db29bd.json
@@ -0,0 +1,95 @@
+{
+  "modified": "2026-03-18T06:42:54Z",
+  "published": "2026-03-18T06:42:54Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in rowrap (PyPI)",
+  "details": "The package hides code to download and start malicious script containing malware, identified as adware. The triggering method seems to be PTH file, although it's not always present\n\n Given the time correlation, it's likely armored continuation of 2026-03-robloxapi-testy\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-rowrap\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "rowrap"
+      },
+      "versions": [
+        "1.0.0",
+        "1.0.1",
+        "1.0.2",
+        "1.0.4",
+        "1.0.8",
+        "1.0.9",
+        "1.1.0",
+        "1.1.1",
+        "1.1.2",
+        "1.1.3",
+        "1.1.5",
+        "1.1.6",
+        "1.1.8",
+        "1.20",
+        "1.21"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/7853783660953f032d117c78eb627fa7a22bdd828b161a58f2abc7405905bce2/detection"
+    },
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/fa7d6114e0d7f164122f7080d19c83ffbfa8e2f3b56a9c7ba95bf5663f72b97c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/rowrap"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "domains": [
+        "dark-resonance-459b.blammervale.workers.dev",
+        "dry-hall-8967.blammervale.workers.dev"
+      ],
+      "urls": [
+        "https://dark-resonance-459b.blammervale.workers.dev/555.bat",
+        "https://dry-hall-8967.blammervale.workers.dev/HHH.exe"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "aa14a24775db29bdb8ff5f2e696e0499d404549e6e51f7b4b891973def89ce9f",
+        "import_time": "2026-03-23T23:45:18.695924096Z",
+        "id": "pypi/2026-03-rowrap/rowrap",
+        "modified_time": "2026-03-18T06:42:54.318349Z",
+        "versions": [
+          "1.0.0",
+          "1.0.1",
+          "1.0.2",
+          "1.0.4",
+          "1.0.8",
+          "1.0.9",
+          "1.1.0",
+          "1.1.1",
+          "1.1.2",
+          "1.1.3",
+          "1.1.5",
+          "1.1.6",
+          "1.1.8",
+          "1.20",
+          "1.21"
+        ]
+      }
+    ]
+  }
+}
diff --git a/osv/malicious/pypi/rowrapee/MAL-0000-kam193-398cfbdac2d3602a.json b/osv/malicious/pypi/rowrapee/MAL-0000-kam193-398cfbdac2d3602a.json
@@ -0,0 +1,69 @@
+{
+  "modified": "2026-03-23T23:17:18Z",
+  "published": "2026-03-23T23:17:18Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in rowrapee (PyPI)",
+  "details": "The package hides code to download and start malicious script containing malware, identified as adware. The triggering method seems to be PTH file, although it's not always present\n\n Given the time correlation, it's likely armored continuation of 2026-03-robloxapi-testy\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-rowrap\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "rowrapee"
+      },
+      "versions": [
+        "1.21",
+        "1.22"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/7853783660953f032d117c78eb627fa7a22bdd828b161a58f2abc7405905bce2/detection"
+    },
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/fa7d6114e0d7f164122f7080d19c83ffbfa8e2f3b56a9c7ba95bf5663f72b97c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/rowrapee"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "ANALYST",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "domains": [
+        "dark-resonance-459b.blammervale.workers.dev",
+        "dry-hall-8967.blammervale.workers.dev"
+      ],
+      "urls": [
+        "https://dark-resonance-459b.blammervale.workers.dev/555.bat",
+        "https://dry-hall-8967.blammervale.workers.dev/HHH.exe"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "398cfbdac2d3602a5c9836408942993c3f2bbcda911184825f01cf9937fb035e",
+        "import_time": "2026-03-23T23:45:18.696556125Z",
+        "id": "pypi/2026-03-rowrap/rowrapee",
+        "modified_time": "2026-03-23T23:17:18.087654Z",
+        "versions": [
+          "1.21",
+          "1.22"
+        ]
+      }
+    ]
+  }
+}
