A recent discovery by cybersecurity researchers has revealed a malicious package in the Python Package Index (PyPI) repository. This package, named termncolor, utilizes a dependency called colorinal to execute malicious activities, including establishing persistence and achieving code execution. Zscaler ThreatLabz reported that while termncolor was downloaded 355 times, colorinal had 529 downloads before both libraries were removed from PyPI.
The researchers, Manisha Ramcharan Prajapati and Satyam Singh, explained that the attack involves DLL side-loading to enable decryption, establish persistence, and communicate with a command-and-control (C2) server for remote code execution. Once installed, termncolor imports colorinal, which loads a rogue DLL responsible for decrypting and executing the next-stage payload. This payload includes a legitimate binary named “vcpktsvr.exe” and a DLL called “libcef.dll,” which are launched using DLL side-loading and can gather system information and communicate with the C2 server using Zulip, an open-source chat application.
In addition to targeting Windows systems, the malware can also infect Linux systems by dropping a shared object file called “terminate.so” to execute similar malicious functions.
Further investigation into the threat actor’s activities on Zulip revealed three active users within the created organization, exchanging over 90,692 messages since July 10, 2025. This incident underscores the importance of monitoring open-source ecosystems for potential supply chain attacks.
On a related note, SlowMist recently uncovered a scheme where threat actors target developers under the guise of a job assessment, tricking them into cloning a GitHub repository containing a malicious npm package capable of extracting sensitive data such as iCloud Keychain, web browser information, and cryptocurrency wallet details.
The npm packages used in this scheme are designed to execute Python scripts, gather system information, search for sensitive files, steal credentials, log keystrokes, capture screenshots, and monitor clipboard content. Notable packages involved in this activity, which have since been removed from npm, include:
- redux-ace (163 Downloads)
- rtk-logger (394 Downloads)
Recent months have seen an increase in malicious npm packages targeting the cybersecurity community, aiming to facilitate data theft and cryptocurrency mining through legitimate services like Dropbox for exfiltrating information.
Furthermore, a report from ReversingLabs highlights the risks associated with automated dependency upgrades, particularly when compromised projects are utilized by numerous other projects, amplifying vulnerabilities in the software supply chain.
An example of this risk is the recent compromise of the eslint-config-prettier npm package through a phishing attack, allowing attackers to push malicious versions to the npm registry without any source code changes. This incident affected over 14,000 packages that had declared eslint-config-prettier as a direct dependency, instead of as a devDependency, leading to automated actions merging potentially harmful updates.
Security researcher Karlo Zanki emphasized the importance of correctly declaring dependencies to avoid such security risks. He noted that automated tools like Dependabot, while designed to enhance security, can inadvertently introduce significant vulnerabilities like malicious compromises.
