Cybersecurity researchers have recently discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency, allowing it to establish persistence and achieve code execution.
termncolor package
The package, named termncolor, realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler ThreatLabz stated. While users downloaded termncolor 355 times, colorinal attracted 529 downloads. Both libraries are no longer available on PyPI.
“This attack could leverage DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication, ending in remote code execution,” according to researchers Manisha Ramcharan Prajapati and Satyam Singh.
Once users install and execute termncolor, it imports colorinal, which, in turn, loads a rogue DLL responsible for decrypting and running the next-stage payload.
Specifically, the payload deploys a legitimate binary vcpktsvr.exe and a DLL called libcef.dll, which launches using DLL side-loading. The DLL, for its part, is capable of harvesting system information and communicating with the C2 server using Zulip, an open-source chat application, to conceal the activity.
“Persistence is achieved by creating a registry entry under the Windows Run key to ensure automatic execution of the malware at system startup,” Zscaler explained.
Linux OS
Moreover, the malware can infect Linux systems, with the Python libraries dropping a shared object file called terminate.so to unleash the same functionality.
Further analysis of the threat actor’s Zulip activity has revealed three active users within the created organization, exchanging a total of 90,692 messages on the platform. It’s believed that the malware author has been active since July 10, 2025.
“The termncolor package and its malicious dependency colorinal highlight the importance of monitoring open-source ecosystems for potential supply chain attacks,” the company emphasized.
This disclosure comes as SlowMist revealed that threat actors are targeting developers under the guise of a job assessment to trick them into cloning a GitHub repository containing a booby-trapped npm package capable of harvesting iCloud Keychain, web browser, and cryptocurrency wallet data, exfiltrating the details to an external server.
Even more powerful
The npm packages also download and run Python scripts, capture system information, scan the file system for sensitive files, steal Credentials, log Keystrokes, take Screenshots, and monitor clipboard content.
The list of identified packages, now removed from npm, is below:
- redux-ace (163 Downloads)
- rtk-logger (394 Downloads)
In recent months, Malicious npm packages have targeted the Cybersecurity community to facilitate data theft and Cryptocurrency mining through a dependent package, using legitimate services like Dropbox to Exfiltrate information from infected systems.
These packages, as Datadog researchers Christophe Tafani–Dereeper and Matt Muir noted, distribute to targets under the guise of Malicious Proof-of-concept (PoC) code for security flaws or a kernel patch that supposedly offers performance improvements. The activity has been Attributed to a threat actor tracked as MUT-1244.
This development follows a report from ReversingLabs that highlights the risks associated with Automated Dependency upgrades, particularly when a Compromised project affects thousands of other projects, Amplifying risks to the software supply chain.
This is Exemplified by the recent compromise of the eslint-config-prettier npm package through a Phishing attack that allowed unnamed Attackers to push poisoned versions directly to the npm Registry without any source code commits or pull requests on its Corresponding GitHub Repository.
The software supply chain security company found that more than 14,000 packages declared eslint-config-prettier as a direct Dependency instead of as a DevDependency, causing Automated actions like GitHub Actions to automatically merge the Dependency update alerts issued by Dependabot without Scrutinizing them.
“Since this is a configuration for a development tool used for code formatting, it can be expected that it should be declared as a devDependency across packages in which it is used, and, as such, it shouldn’t be automatically installed when the npm install command is executed like with regular dependencies,” security researcher Karlo Zanki stated.
“Automated version management tools like Dependabot are designed to remove the risk of having dependencies with security issues in your code base, but […] ironically they can end up introducing even bigger security issues like malicious compromise.”
Source: TheHackerNews
Read more at Impreza News
