- Researchers identified malicious Python and npm packages facilitating Malware attacks through official repositories.
- The compromised Python packages, termncolor and colorinal, enabled remote code execution and system persistence on both Windows and Linux.
- Attackers used DLL side-loading and registry manipulation to maintain access and stole information using the Zulip chat app.
- Similar threats in npm packages targeted developers and security researchers, aiming to steal sensitive data and credentials.
- Reports highlighted risks from automatic dependency upgrades, as seen in a recent compromise of the eslint-config-prettier npm package.
Cybersecurity researchers have found harmful software in the official Python Package Index (PyPI) and npm package repositories, putting software supply chains at risk. The packages, called termncolor and its dependency colorinal, were discovered after being downloaded hundreds of times before removal from PyPI.
According to Zscaler ThreatLabz, the termncolor package imported colorinal, which triggered a multi-stage malware process. These stages involved loading a fake dynamic-link library (DLL) file to decrypt further malware. The operation allowed attackers to silently keep access to computers and run remote code.
The researchers, Manisha Ramcharan Prajapati and Satyam Singh, explained that this attack used DLL side-loading to decrypt, maintain system persistence, and conduct command-and-control (C2) communication. “Persistence is achieved by creating a registry entry under the Windows Run key to ensure automatic execution of the malware at system startup,” Zscaler said. On Linux systems, the attack involved a shared object file called terminate.so to deliver similar effects.
Zscaler noted the attackers hid their activities by using Zulip, an open-source chat app, for C2 traffic. Analysis showed three active users and nearly 91,000 messages exchanged. The malware author has reportedly been active since July 10, 2025. Zscaler pointed out, “The termncolor package and its malicious dependency colorinal highlight the importance of monitoring open-source ecosystems for potential supply chain attacks.”
Separate findings from SlowMist revealed that some threat actors are tricking developers by posing as job recruiters and asking them to run infected npm packages. The discovered npm packages, such as redux-ace and rtk-logger, secretly stole keychain, browser, and cryptocurrency wallet data by running Python scripts and gathering private information.
Other recent cases included attackers targeting cybersecurity professionals using poisoned npm packages promoted as fake security tools or code patches. Datadog researchers connected this strategy to a group tracked as MUT-1244.
Further highlighting the risks, ReversingLabs reported on the compromise of the eslint-config-prettier npm package through a phishing attack. This impacted more than 14,000 projects that listed the package as a regular dependency, which led automated tools like Dependabot to update them without manual checks. Researcher Karlo Zanki stated that such tools, while meant to reduce risk, can also introduce new security problems if not properly configured.
These incidents underline the need for ongoing monitoring of open-source software repositories and careful review of package dependencies.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Internet Identity 2.0 Launches With Passkeys, Google Sign-In
- India, Russia to Discuss Rupee Trade in BRICS Amid Tariff Tensions
- Oh Whale: Riding the Waves of Transparency, Utility, and Community Growth
- Bitcoin, Ethereum, XRP Plunge, Sparking Fears of Major Crypto Crash
- Crypto Influencer Jailed for $3.5M Cloud Mining Scheme, Forfeits Cash
