Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution.
The package, named termncolor, realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler ThreatLabz said. While termncolor was downloaded 355 times, colorinal attracted 529 downloads. Both libraries are no longer available on PyPI.
“This attack could leverage DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication, ending in remote code execution,” according to researchers Manisha Ramcharan Prajapati and Satyam Singh.
Once installed and executed, termncolor is designed to import colorinal, which, in turn, loads a rogue DLL that’s responsible for decrypting and running the next-stage payload.
Specifically, the payload deploys a legitimate binary “vcpktsvr.exe” and a DLL called “libcef.dll” that’s launched using DLL side-loading. The DLL, for its part, is capable of harvesting system information and communicating with the C2 server using Zulip, an open-source chat application, to conceal the activity.
“Persistence is achieved by creating a registry entry under the Windows Run key to ensure automatic execution of the malware at system startup,” Zscaler said.
The malware is also capable of infecting Linux systems, with the Python libraries dropping a shared object file called “terminate.so” to unleash the same functionality.
Further analysis of the threat actor’s Zulip activity has revealed three active users within the created organization, with a total of 90,692 messages exchanged within the platform. It’s believed that the malware author has been active since July 10, 2025.
“The termncolor package and its malicious dependency colorinal highlight the importance of monitoring open-source ecosystems for potential supply chain attacks,” the company said.
The disclosure comes as SlowMist revealed that threat actors are targeting developers under the guise of a job assessment to trick them into cloning a GitHub repository containing a booby-trapped npm package that’s capable of harvesting iCloud Keychain, web browser, and cryptocurrency wallet data, and exfiltrating the details to an external server.
The npm packages are also engineered to download and run Python scripts, capture system information, scan the file system for sensitive files, steal credentials, log keystrokes, take screenshots, and monitor clipboard content.
The list of identified packages, now removed from npm, is below –
- redux-ace (163 Downloads)
- rtk-logger (394 Downloads)
In recent months, malicious npm packages have been spotted targeting the cybersecurity community to facilitate data theft and cryptocurrency mining through a dependent package, using legitimate services like Dropbox to exfiltrate the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
