Malicious PyPI and npm Packages Uncovered in New Supply Chain Attacks

Security experts have recently found malicious packages hidden in both PyPI and npm, two of the most popular open-source ecosystems. These cases highlight how attackers are targeting developers by abusing dependencies, phishing maintainers, and using social engineering tricks.

In the PyPI case, the problem came from two packages called termncolor and colorinal. The package termncolor secretly depended on colorinal, which executed harmful code. Once installed, it ran a file named terminate.dll to decrypt and launch another stage of malware. This dropped a legitimate program called vcpktsvr.exe along with a fake libcef.dll designed to collect system data and contact attacker servers.

To avoid suspicion, the malware disguised its network traffic to look like normal activity from the chat service Zulip. On Windows, it created a registry entry to remain active after reboots. A Linux variant also existed under the name terminate.so. Before removal, termncolor was downloaded around 355 times and colorinal around 529 times, showing how easily such attacks can spread.

A different method was used in another npm attack. This time, job seekers were tricked with a fake coding test. Applicants were asked to clone a GitHub repository, but inside the project a malicious dependency was hidden. Instead of the safe package redux-ace@1.0.3, it pulled in a new package called rtk-logger@1.11.5.

The rtk-logger package contained encrypted code inside its LICENSE file. Once decrypted, it began stealing sensitive data. It targeted browser details and cryptocurrency wallet files from Chrome, Brave, Opera, and Firefox, then sent the stolen information to attacker-controlled servers. Security reports also listed technical indicators to help detect the threat.

Another npm incident happened in July 2025, when the highly popular package eslint-config-prettier was compromised. This package is used by thousands of JavaScript projects and has millions of weekly downloads. Attackers gained access to the maintainer’s account, likely through phishing emails imitating npm, and published infected versions.

These malicious versions remained online for only about two hours, but because of the package’s popularity, the impact was serious. The altered release contained a postinstall script that installed the Scavenger RAT, a remote access trojan. This malware primarily targeted Windows machines, giving attackers control over infected systems.

Although these incidents used different techniques, they all point to the same risk: attackers are targeting the software supply chain. Hiding malware in dependencies, tricking developers with fake tasks, and hijacking trusted accounts are three ways attackers are spreading malicious code into widely used tools.

For developers and organizations, the lesson is clear. Dependencies must be reviewed carefully, suspicious activity should not be ignored, and automated updates need extra monitoring. Security tools that check for unusual package behavior can also help reduce risk.

These discoveries show that supply chain attacks remain a growing threat. As open-source software becomes more important across industries, attackers will keep trying new ways to exploit it. Staying alert and responding quickly are the only ways to limit the damage.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news