Weaponized Python Package Termncolor Exploits Windows Run Key for Persistent Attack Strategies

A sophisticated supply chain attack targeting Python developers has emerged through a seemingly innocuous package named Termncolor. This package conceals a multi-stage malware operation designed to establish persistent access on compromised systems. Distributed through the Python Package Index (PyPI), the malicious package masquerades as a legitimate terminal colour utility while secretly deploying advanced backdoor capabilities. These capabilities leverage DLL sideloading techniques and Windows registry manipulation for persistence. The attack begins when unsuspecting developers install the Termncolor package, which automatically imports its malicious dependency, Colourinal. This secondary package serves as the true entry point for the attack chain, employing a carefully orchestrated series of operations that culminate in remote code execution and system compromise. Zscaler researchers identified the malicious package on July 22, 2025, during routine monitoring of their Python package scanning database.

The malware’s design demonstrates sophisticated evasion techniques, including the use of legitimate-looking components and encrypted payloads to avoid detection by traditional security tools. The discovery revealed a complex attack infrastructure that extends beyond simple backdoor functionality, incorporating advanced command-and-control communication patterns that mimic legitimate messaging platforms to disguise malicious traffic. Both Termncolor and Colourinal have since been removed from PyPI, though the threat highlights the ongoing risks associated with open-source software supply chain attacks. The malware impacts both Windows and Linux environments, with specialised variants tailored for each operating system. The attack’s sophistication lies in its multi-layered approach, combining social engineering tactics with technical precision to achieve its objectives. Initial infections may appear benign, as the colour utility functions normally while the malicious components operate silently in the background, making detection particularly challenging for organisations relying on automated scanning tools alone. 

Categories: Malware Attack, Supply Chain Security, Open Source Risks 

Tags: Supply Chain Attack, Python Developers, Termncolor, Malware Operation, Backdoor Capabilities, DLL Sideloading, Remote Code Execution, Open-Source Software, Persistence Mechanism, Registry Manipulation