Ethical Hacking News
Cybersecurity researchers have discovered a malicious package on PyPI that exploits dependencies to achieve persistence and remote code execution. This attack highlights the growing threat of supply chain attacks in open-source ecosystems, emphasizing the importance of monitoring dependencies and implementing robust security protocols. As another vulnerability alert emerges from SlowMist regarding malicious npm packages, developers must prioritize software security awareness and take proactive measures to safeguard their systems against such threats.
Malicious packages were found on PyPI and npm repositories, highlighting the growing threat of supply chain attacks. A PyPI package named termncolor utilized a dependency called colorinal to establish persistence and achieve code execution. The attack leverages DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication. The malware persists in Windows systems by creating a registry entry under the Windows Run key and infects Linux systems using Python libraries. Open-source ecosystems require monitoring for potential supply chain attacks to prevent such vulnerabilities. A recent incident highlights the risks associated with automated dependency upgrades, particularly when a compromised project is used by thousands of other projects.
Cybersecurity researchers at Zscaler's ThreatLabz have made a groundbreaking discovery regarding malicious packages on the Python Package Index (PyPI) and npm repository. This revelation highlights the growing threat of supply chain attacks, where attackers exploit vulnerabilities in dependencies within open-source ecosystems to compromise software systems. The most recent example involves a PyPI package named termncolor that utilizes a dependency called colorinal to establish persistence and achieve code execution.
The researchers found that while termncolor was downloaded 355 times, the corresponding colorinal library attracted 529 downloads. Both libraries have been removed from the affected repositories due to their malicious nature. According to Zscaler ThreatLabz experts, Manisha Ramcharan Prajapati and Satyam Singh, this attack leverages DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication ultimately leading to remote code execution.
Upon installation and execution, termncolor is designed to import colorinal. The latter loads a rogue DLL that decrypts the next-stage payload by deploying a legitimate binary called "vcpktsvr.exe" along with a DLL named "libcef.dll". This DLL facilitates harvesting system information and communicates with the C2 server using Zulip, an open-source chat application to conceal the malicious activity.
The malware persists in Windows systems by creating a registry entry under the Windows Run key. Furthermore, it is capable of infecting Linux systems, utilizing Python libraries to drop a shared object file called "terminate.so" to unleash similar functionality.
Zscaler emphasized that this attack demonstrates the importance of monitoring open-source ecosystems for potential supply chain attacks. This comes as another cybersecurity alert revealed by SlowMist indicates threat actors targeting developers under the guise of a job assessment to trick them into cloning a GitHub repository containing a booby-trapped npm package. The malicious npm packages identified are redux-ace and rtk-logger, with 163 and 394 downloads respectively.
These packages exploit legitimate services such as Dropbox to exfiltrate information from infected systems and have been linked to the same threat actor tracked as MUT-1244. Datadog researchers Christophe Tafani-Dereeper and Matt Muir pointed out that these packages are distributed under the guise of malicious proof-of-concept (PoC) code for security flaws or a kernel patch offering performance improvements.
The revelation follows a report from ReversingLabs highlighting the risks associated with automated dependency upgrades, particularly when a compromised project is used by thousands of other projects. A notable example illustrates this risk; namely, the compromise of eslint-config-prettier npm package via a phishing attack that allowed attackers to push poisoned versions directly into the npm registry without any source code commits or pull requests.
This scenario resulted in over 14,000 packages declaring eslint-config-prettier as a direct dependency instead of being declared as devDependencies. Consequently, automated actions such as GitHub Actions merged updates from Dependabot without scrutiny, allowing security issues to spread unchecked. According to Karlo Zanki, a security researcher, this highlights the risk posed by automated version management tools that can inadvertently introduce more significant security risks.
The discovery underscores the need for enhanced vigilance and proactive measures in safeguarding open-source ecosystems against supply chain attacks. It also emphasizes the importance of monitoring dependencies, implementing robust security protocols, and ensuring transparency within software development processes to mitigate such vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-PyPI-and-npm-Packages-Discovered-Exploiting-Dependencies-in-Supply-Chain-Attacks-A-Growing-Threat-to-Open-Source-Ecosystems-ehn.shtml
https://thehackernews.com/2025/08/malicious-pypi-and-npm-packages.html
Published: Mon Aug 18 08:21:45 2025 by llama3.2 3B Q4_K_M
