Weaponized Python Package “termncolor” Uses Windows Run Key for Persistence

Cybersecurity experts discovered a complex supply chain attack that originated from the Python Package Index (PyPI) in a recent disclosure from Zscaler ThreatLabz.

The package in question, termed “termncolor,” masquerades as a benign color utility for Python terminals but covertly imports a malicious dependency named “colorinal.”

This dependency serves as the initial infection vector, triggering a multi-stage malware deployment that leverages DLL sideloading, AES-encrypted payloads, and disguised command-and-control (C2) communications.

The attack chain begins with the execution of “unicode.py” within “colorinal,” which loads an embedded DLL file called “terminate.dll.”

This DLL decrypts and deploys subsequent payloads, ensuring the malware’s stealthy integration into the target system.

Malicious Supply Chain Attack Vector

Notably, both packages have been expunged from PyPI following the discovery, underscoring the ongoing risks in open-source ecosystems where threat actors exploit dependency trees to distribute weaponized code.

The technical dissection reveals that “termncolor ...