A sophisticated supply chain attack has been identified, targeting Python developers through a seemingly benign package named ‘termncolor’. This package conceals a multi-stage malware operation designed to establish persistent access on compromised systems.
Overview of the Attack
The ‘termncolor’ package, distributed via the Python Package Index (PyPI), masquerades as a legitimate terminal color utility. However, it secretly deploys advanced backdoor capabilities that utilize DLL sideloading techniques and Windows registry manipulation to maintain persistence.
The attack initiates when developers install ‘termncolor’, which automatically imports a malicious dependency named ‘colorinal’. This secondary package serves as the primary entry point for the attack chain, executing a series of operations that culminate in remote code execution and system compromise.
Technical Details
The malware’s design incorporates sophisticated evasion techniques, including the use of legitimate-looking components and encrypted payloads to avoid detection by traditional security tools. Zscaler researchers identified the malicious package on July 22, 2025, during routine monitoring of their Python package scanning database. Their discovery revealed a complex attack infrastructure extending beyond simple backdoor functionality, incorporating advanced command-and-control communication patterns that mimic legitimate messaging platforms to disguise malicious traffic.
Both ‘termncolor’ and ‘colorinal’ have since been removed from PyPI. However, this incident underscores the ongoing risks associated with open-source software supply chain attacks. The malware impacts both Windows and Linux environments, with specialized variants tailored for each operating system.
Persistence Mechanism and Registry Manipulation
A critical aspect of this malware’s operation is its sophisticated persistence mechanism, ensuring continued system access even after restarts. Once the ‘colorinal’ package executes, it triggers the ‘unicode.py’ file, which loads an embedded DLL called ‘terminate.dll’ into memory. This DLL serves as the primary dropper component, utilizing AES encryption in CBC mode to decrypt and deploy two key files onto the target system.
The persistence strategy employs a classic Windows registry modification technique, creating an entry named pkt-update under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key. This entry points to ‘vcpktsvr.exe’, a legitimately signed executable that the malware drops into the %LOCALAPPDATA%\vcpacket directory. The use of a signed executable adds an additional layer of legitimacy, helping the malware evade security scrutiny.
The malware’s true payload resides in ‘libcef.dll’, which accompanies ‘vcpktsvr.exe’ and executes through DLL sideloading. This technique exploits the Windows DLL search order, allowing the malicious library to masquerade as a legitimate component while maintaining persistent backdoor access. The ‘libcef.dll’ component handles system reconnaissance and command-and-control communications, using the Zulip messaging platform to disguise its network traffic as legitimate team communications.
Implications and Recommendations
This incident highlights the increasing sophistication of supply chain attacks targeting open-source ecosystems. Developers and organizations must exercise caution when incorporating third-party packages into their projects. Implementing robust security practices, such as verifying the authenticity of packages, regularly updating dependencies, and employing advanced threat detection mechanisms, is crucial to mitigate such risks.
Furthermore, the use of legitimate-looking components and encrypted payloads by the malware emphasizes the need for comprehensive security solutions capable of detecting and responding to advanced evasion techniques. Organizations should also consider conducting regular security audits and code reviews to identify and address potential vulnerabilities in their software supply chain.
