diff --git a/macros.python-wheel-sbom b/macros.python-wheel-sbom
index a21460a..41389f9 100644
--- a/macros.python-wheel-sbom
+++ b/macros.python-wheel-sbom
@@ -93,7 +93,7 @@
         whl="$pwd0/$whl"
     fi
 
-    record=$(zipinfo -1 "$whl" | grep '\.dist-info/RECORD$')
+    record=$(zipinfo -1 "$whl" | grep -E '^[^/]+-[^/]+\.dist-info/RECORD$')
     distinfo="${record%%/RECORD}"
     bom="$distinfo/sboms/%{__python_wheel_sbom_filename}"
 
diff --git a/python-rpm-macros.spec b/python-rpm-macros.spec
index 86d2865..ae3d558 100644
--- a/python-rpm-macros.spec
+++ b/python-rpm-macros.spec
@@ -56,7 +56,7 @@ elseif posix.stat('macros.python-srpm') then
 end
 }
 Version:        %{__default_python3_version}
-Release:        6%{?dist}
+Release:        7%{?dist}
 
 BuildArch:      noarch
 
@@ -169,6 +169,9 @@ grep -E '^#[^%%]*%%[^%%]' %{buildroot}%{rpmmacrodir}/macros.* && exit 1 || true
 
 
 %changelog
+* Fri Aug 29 2025 Miro Hrončok <mhroncok@redhat.com> - 3.14-7
+- %%python_wheel_inject_sbom: Don't accidentally alter nested .dist-infos
+
 * Wed Aug 13 2025 Miro Hrončok <mhroncok@redhat.com> - 3.14-6
 - Introduce %%python_wheel_inject_sbom
 
diff --git a/tests/testwheel.spec b/tests/testwheel.spec
index 2e761fc..461d7f3 100644
--- a/tests/testwheel.spec
+++ b/tests/testwheel.spec
@@ -23,7 +23,18 @@ version = "1"
 [build-system]
 requires = ["setuptools >= 61"]
 build-backend = "setuptools.build_meta"
+
+[tool.setuptools]
+include-package-data = true
+
+[tool.setuptools.packages.find]
+include = ["testwheel*"]
 EOF
+# create a secondary dist-info folder in the project
+# we need to ensure this file is not altered
+mkdir -p testwheel/_vendor/dependency-2.2.2.dist-info
+touch testwheel/_vendor/dependency-2.2.2.dist-info/RECORD
+echo 'recursive-include testwheel/_vendor *' > MANIFEST.in
 
 
 %build
@@ -70,6 +81,9 @@ grep '^testwheel-1.dist-info/sboms/bom.json,' %{venvsite}/testwheel-1.dist-info/
 # a more specific grep. we don't care about CRLF line ends (pip uses those? without the sed the $ doesn't match line end)
 sed 's/\r//g' %{venvsite}/testwheel-1.dist-info/RECORD | grep -E '^testwheel-1.dist-info/sboms/bom.json,sha256=[a-f0-9]{64},[0-9]+$'
 
+test -f %{venvsite}/testwheel/_vendor/dependency-2.2.2.dist-info/RECORD
+test -f %{venvsite}/testwheel/_vendor/dependency-2.2.2.dist-info/sboms/bom.json && exit 1 || true
+
 # this deliberately uses a different mechanism than the macro
 # if you are running this test on a different distro, adjust it
 %define ns %{?fedora:fedora}%{?eln:fedora}%{?epel:epel}%{!?eln:%{!?epel:%{?rhel:redhat}}}