Found 17 bookmarks
Newest
PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion
PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion
Checkmarx Zero researcher Ariel Harush has discovered evidence of a malicious package campaign that is consistent with live adversarial activity and adversarial research and testing. This campaign targets Python and NPM users on Windows and Linux via typo-squatting and name-confusion attacks against colorama (a widely-used Python package for colorizing terminal output) on PyPI and the similar colorizr JavaScript package on NPM. These malicious packages were uploaded to PyPI. Multiple packages uploaded to PyPI with significantly risky payloads were uploaded with names similar to legitimate packages in both PyPI and NPM. The tactic of using the name from one ecosystem (NPM) to attack users of a different ecosystem (PyPI) is unusual. Payloads allow persistent remote access to and remote control of desktops and servers, as well as harvesting and exfiltrating sensitive data. Windows payloads attempt to bypass antivirus/endpoint protection controls to avoid detection. * Packages have been removed from public repositories, limiting immediate potential for damage. These behaviors are consistent with targeted adversarial activity and coordinated campaigns. It is likely, based on this pattern, that these were created either to attack a particular target or set of targets. No clear attribution data is currently available, so we do not know whether this campaign is connected to a well-known adversary. Cross-Platform Supply Chain Attacks Targeting Users of
#checkmarxEN#2025#Supply-Chain-Attack#PyPI#Colorizr#Colorama
·checkmarx.com·
PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion
Malicious PyPI Package Targets Discord Developers with Remot...
Malicious PyPI Package Targets Discord Developers with Remot...
The Socket Research team investigates a malicious Python package disguised as a Discord error logger that executes remote commands and exfiltrates data via a covert C2 channel. On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk. The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid. Discord’s developer ecosystem is both massive and tightly knit. With over 200 million monthly active users, more than 25% of whom interact with third-party apps, Discord has rapidly evolved into a platform where developers not only build but also live test, share, and iterate on new ideas directly with their users. Public and private servers dedicated to development topics foster an informal, highly social culture where tips, tools, and code snippets are shared freely and often used with little scrutiny. It’s within these trusted peer-to-peer spaces that threat actors can exploit social engineering tactics, positioning themselves as helpful community members and promoting tools like discordpydebug under the guise of debugging utilities. The fact that this package was downloaded over 11,000 times, despite having no README or documentation, highlights how quickly trust can be weaponized in these environments. Whether spread via casual recommendation, targeted DMs, or Discord server threads, such packages can gain traction before ever being formally vetted.
#socket.dev#EN#2025#Malicious#PyPI#supply-chain-attack#Discord#discordpydebug
·socket.dev·
Malicious PyPI Package Targets Discord Developers with Remot...
Using Trusted Protocols Against You: Gmail as a C2 Mechanism...
Using Trusted Protocols Against You: Gmail as a C2 Mechanism...
Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. These seven packages: Coffin-Codes-Pro Coffin-Codes-NET2 Coffin-Codes-NET Coffin-Codes-2022 Coffin2022 Coffin-Grave cfc-bsb use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic. These packages have since been removed from the Python Package Index (PyPI).
#socket.dev#EN#2025#supply-chain-attack#PyPI#Python#packages#malicious#Gmail#tunnel
·socket.dev·
Using Trusted Protocols Against You: Gmail as a C2 Mechanism...
Python Crypto Library Updated to Steal Private Keys
Python Crypto Library Updated to Steal Private Keys
Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean
#phylum#EN#2024#Python#Crypto#Library#PyPI#malicious#code#aiocpa#Supply-chain-attack
·blog.phylum.io·
Python Crypto Library Updated to Steal Private Keys
Malicious Python Package Targets macOS Developers
Malicious Python Package Targets macOS Developers
  • A package called “lr-utils-lib” was uploaded to PyPi in early June 2024, containing malicious code that executes automatically upon installation. The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data. The harvested credentials are sent to a remote server.
#checkmarx#EN#2024#macOS#stealer#Supply-chain-attack#PyPI#pypi-malware#lr-utils-lib#developpers
·checkmarx.com·
Malicious Python Package Targets macOS Developers
Users of Telegram, AWS, and Alibaba Cloud targeted in latest supply chain attack
Users of Telegram, AWS, and Alibaba Cloud targeted in latest supply chain attack
During the month of September, an attacker operating under the pseudonym "kohlersbtuh15", attempted to exploit the open-source community by uploading a series of malicious packages to the PyPi package manager. Based on the names of these packages and the code contained within them, it appears that this attacker targeted developers that use Aliyun services (Alibaba Cloud), telegram, and AWS.
#checkmarx#EN#2023#PyPi#Supply-chain-attack#kohlersbtuh15
·checkmarx.com·
Users of Telegram, AWS, and Alibaba Cloud targeted in latest supply chain attack
VMConnect supply chain attack continues, evidence points to North Korea - Security Boulevard
VMConnect supply chain attack continues, evidence points to North Korea - Security Boulevard
In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.
#securityboulevard#EN#2023#Supply-Chain-Attack#VMConnect#PyPI
·securityboulevard.com·
VMConnect supply chain attack continues, evidence points to North Korea - Security Boulevard