Malicious PyPI and npm Packages Found Exploiting Dependencies in Supply Chain Attacks

ByAdmin

Cybersecurity researchers have identified a malicious package in the Python Package Index (PyPI) repository, named Termncolor, which employs a dependency called Colorinal to execute a multi-stage malware operation. According to Zscaler ThreatLabz, Termncolor was downloaded 355 times, while Colorinal garnered 529 downloads before both packages were removed from PyPI. The attack exploits DLL side-loading to facilitate decryption, establish persistence, and enable command-and-control (C2) communication, ultimately leading to remote code execution. Once installed, Termncolor imports Colorinal, which loads a rogue DLL responsible for decrypting and executing the next-stage payload. This payload deploys a legitimate binary, Vcpktsvr.exe, and a DLL named Libcef.dll, which can harvest system information and communicate with the C2 server via Zulip, an open-source chat application, thereby concealing its activities.

The malware also targets Linux systems by dropping a shared object file called Terminate.so, which replicates the same malicious functionality. Further analysis of the threat actor’s Zulip activity revealed three active users within the created organisation, exchanging a staggering 90,692 messages. It is believed that the malware author has been active since July 10, 2025. The discovery of Termncolor and its malicious dependency underscores the critical need for vigilance in monitoring open-source ecosystems for potential supply chain attacks. Concurrently, SlowMist has reported that threat actors are deceiving developers under the guise of job assessments, tricking them into cloning a GitHub repository containing a compromised npm package capable of harvesting sensitive data from iCloud Keychain, web browsers, and cryptocurrency wallets. These malicious npm packages are designed to download and execute Python scripts, capture system information, and exfiltrate sensitive data using legitimate services like Dropbox. 

Categories: Malicious Software, Supply Chain Attacks, Data Exfiltration 

Tags: Malicious Package, Python Package Index, Dependency, Code Execution, DLL Side-Loading, Persistence, Command-and-Control, Open-Source Ecosystems, Supply Chain Attacks, Data Theft 

Leave a Reply

Your email address will not be published. Required fields are marked *