—

MAL-2026-2625

Malicious code in robase-install (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: kam193 (e1076baa8ca4cabd7ae4b1caafa04658a6f7a1c80f52d25de958412ec5d11661) The package is part of a malicious campaign, but was removed before the malicious code got embedded inside.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-roboat-addition

Reasons (based on the campaign):

- The package overrides the install command in setup.py to execute malicious code during installation.

- Downloads and executes a remote executable.

- The malicious code is intentionally included in a dependency of the package

- malware

- clones-real-package

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / robase-install

No fixed version published yet for robase-install (pip). Pin to a known-safe version or switch to an alternative.

References

https://www.virustotal.com/gui/file/9f14d239ab8f1289bc7aedeb67d3d72b467ee6c11b201890ab14c5c4f7c175d2/detection [EVIDENCE]
https://www.virustotal.com/gui/file/48b108261d5de97a42eff81cf1a60a32286f72bf8b5f130959e0daa86b783608 [EVIDENCE]
https://www.virustotal.com/gui/file/ef20289b52ab23ec23c5ff885a2293523ce8456fb00e3d67f1b084c28f7d282a/detection [EVIDENCE]
https://github.com/Addi9000/roboat/blob/331166c8ea3bd080f08fe6d571202e3b47017ed7/README.md#L31 [WEB]
https://github.com/Addi9000/roboat/commit/331166c8ea3bd080f08fe6d571202e3b47017ed7 [WEB]
https://github.com/Addi9000 [WEB]
https://github.com/RoCruise [WEB]
https://www.roboat.pro/ [WEB]
https://bad-packages.kam193.eu/pypi/package/robase-install [WEB]