Which versions of databasesupasafe are malicious?

The following PyPI versions of databasesupasafe are flagged malicious: 1.0.0, 1.2.0. Treat any of these as compromised.

How do I remediate databasesupasafe if I installed it?

databasesupasafe is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed databasesupasafe — how do I know if it already compromised me?

If databasesupasafe was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is databasesupasafe part of a known attack campaign?

Yes — databasesupasafe is associated with the 2026-03-roboat-addition campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find databasesupasafe across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for databasesupasafe (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging databasesupasafe across your stack and pipelines.

Malicious package

databasesupasafePyPI

Malicious code in databasesupasafe (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-2557

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall databasesupasafe

What this malware does

During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap.

The campaign is built over a malicious Roblox API wrapper. The roboat[.]pro (later robase[.]app) domain advertises a wrapper that is either directly malicious (as roboat collected in the campaign 2026-03-rowrap) or uses a malicious dependencies (like roboat-utils). New versions are published simultaneously with malicious dependencies and quickly removed. Another advertisement channel is https://github.com/Addi9000/roboat referencing two active contributors: https://github.com/Addi9000 and https://github.com/RoCruise

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-roboat-addition

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.
Downloads and executes a remote executable.
The malicious code is intentionally included in a dependency of the package
malware
clones-real-package

Malicious versions

2 flagged

1.0.01.2.0

Indicators of compromise (SHA-256)

0a3a11b25a3eca0595a37b08fedbed2bbb9b8bbdf4ea680a8be2f8e4846599eb

384b31fd6f9ed74af5fcb76197b023202e85999eb06bd56b049c8a32864bc912

462606bd9f9e3129dcfdd3d667ea6d87e8f58f32ee61727dc133ecb9465d9e37

593ae0c5fb008c8ea8bee1eeb13f6dcb6711e7f568c18f8df43375efc4c3c62a

83bfc669cf9d5dc0953e47a4de9f9e94bb494dfa88c7f4d7eed7c271fcd962ba

71a61fe2a5b75c1a322f6021a6c03191ee764d2fdad631b6ee550093890b5941

b66444b970c006f5e8a5be23af5da3167ac68d85e4de0f5469620b7f39836d81

896e1f13af0e89b14a1ef69dcfc21e20add06f6f11131026eb4e7c5033f09801

bf247988c8ed87969ec3b17206f01c538d487c6f2aec2e40911d19dad1bbf0dc

42e4b09631053b0791bb04e3c472872f0109da5081974c45e120382a86b8b947

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for databasesupasafe (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging databasesupasafe across your stack and pipelines.
If you installed it — respond
databasesupasafe is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If databasesupasafe was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks databasesupasafe before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. databasesupasafe on PyPI has been identified as a malicious package (versions 1.0.0, 1.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-03-roboat-addition

References

Credits

Kamil Mańkowski (kam193) · reporter

Detect & block this

O3 blocks databasesupasafe-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring