PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion

June 2, 2025, 10:11 p.m.

Description

A malicious package campaign targeting Python and NPM users on Windows and Linux has been discovered. The attack uses typo-squatting and name-confusion tactics against the popular colorama Python package and the similar colorizr JavaScript package. Multiple packages with risky payloads were uploaded to PyPI, using names similar to legitimate packages in both PyPI and NPM. The unusual tactic of using an NPM package name to attack PyPI users was observed. The payloads allow remote access, control of desktops and servers, and exfiltration of sensitive data. Windows payloads attempt to bypass antivirus protection. The campaign's sophistication suggests targeted adversarial activity, although attribution remains unclear.

Date

  • Created: June 2, 2025, 10:02 p.m.
  • Published: June 2, 2025, 10:02 p.m.
  • Modified: June 2, 2025, 10:11 p.m.

Indicators

  • daef5255eac4a4d16940e424c97492c6bad8fdafd2420632c371b9d18df3b47f
  • d30c78c64985a42c34ef142fd8754a776c8db81228bafc385c5bd429252e4612

Attack Patterns