Cybersecurity researchers have discovered malicious packages in the Python Package Index (PYPI) repository. This introduces malicious behavior through dependencies that can establish persistence and enable code execution.
A package named Themcolor delivers its creepy functionality through a dependency package called Colorinal with multi-stage malware operations, Zscaler Threatlabz said. While Termcolor has been downloaded 355 times, Colorinal attracted 529 downloads. Both libraries are no longer available for Pypi.
“This attack could leverage DLL sideloads to promote decoding, establish persistence, implement command and control (C2) communication and end with remote code execution,” said researchers Manisha Ramcharan Prajapati and Satyam Singh.
Once installed and run, TermnColor is designed to import Colorinal and loads the Rogue DLL responsible for decrypting and running the next stage payload.
Specifically, the payload unpacks the legitimate binary “vcpktsvr.exe” and a DLL called “libcef.dll” that is launched using the DLL sideload. In that part, the DLL can collect system information and communicate with the C2 server using Zulip, an open source chat application, to hide activity.
“Permanence is achieved by creating a registry entry under the Windows Run key to ensure that the malware runs automatically at the system startup,” Zscaler said.
Malware can also infect Linux systems. The Python library unlocks the same functionality by removing shared object files called “Terminate.so”.
Further analysis of threat actors’ Zulip activities revealed three active users within the created organization, exchanging a total of 90,692 messages within the platform. The malware author is believed to have been active since July 10th, 2025.
“The term package and its malicious dependency qualinal underscore the importance of monitoring the open force ecosystem for potential supply chain attacks,” the company said.
As Slowmist reveals that threat actors are targeting developers, it expands the details of the external server by targeting developers under job assessments by cloned Github repository containing booby-trap NPM packages that can harvest iCloud keychains, web browsers and Cryptocurrency Wallet data.
The NPM package is designed to download and run Python scripts, capture system information, scan file systems for sensitive files, steal credentials, steal log keystrokes, take screenshots, and monitor clipboard content.
The list of identified packages has now been removed from NPM, but can be found below –
Redux-ace (163 downloads) RTK-Logger (394 downloads)
In recent months, malicious NPM packages targeting the cybersecurity community have been discovered to promote data theft and cryptocurrency mining via dependent packages to remove information from infected systems using legitimate services such as Dropbox.
Datadog researchers Christophe Tafani-Dereeeper and Matt Muir said these packages are distributed to targets under the guise of malicious proof-of-concept (POC) code for security flaws or kernel patches that provide performance improvements. This activity is attributed to a threat actor that tracks it as MUT-1244.
This development continues with a ReversingLab report that identifies the risks associated with automated dependency upgrades, especially when compromised projects are used in thousands of other projects, if they amplify software supply chain risks.
This is exemplified by a recent compromise in the ESLINT-CONFIG-PRETTIER NPM package by a phishing attack that allows unnamed attackers to push directly to the NPM registry without committing or pull requests from the corresponding Github repository.
The software supply chain security company has discovered that over 14,000 packages declare ESLINT-Config-Prettier as a direct dependency.
“Because this is a configuration of the development tool used to format the code, we expect it to need to be declared as developer dependent across the packages used. Therefore, it should not be automatically installed when the NPM install command is executed in the same way as a regular dependency.
“Automatic version control tools like Depenabot are designed to remove risks that have dependencies on security issues in the codebase, […] Ironically, they will introduce even bigger security issues, such as malicious compromises. ”
Source link
