{ "name": "Supply Chain Risk in Python: Termcolor and Colorama Explained", "slug": "supply-chain-risk-in-python-termcolor-and-colorama-explained", "description": "A suspicious Python package named termncolor was discovered, which imports a malicious dependency called colorinal. This multi-stage malware operation leverages DLL sideloading to decrypt payloads, establish persistence, and conduct command-and-control communication, ultimately leading to remote code execution. The attack begins with the execution of terminate.dll, which decrypts and deploys two files: vcpktsvr.exe and libcef.dll. The malware achieves persistence through a registry entry and gathers system information. It communicates with a C2 server using Zulip traffic patterns for disguise. The threat actor's profile and activities on the Zulip platform were analyzed, revealing patterns in their tactics and behavior.", "published": "2025-08-15T23:53:56+00:00", "created_at": "2025-08-15T23:53:56+00:00", "modified_at": "2025-08-18T14:42:16+00:00", "created_at_opencti": "2025-08-15T23:53:56+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-08-16", "c2 communication", "colorinal", "dll sideloading", "persistence", "pypi", "python", "supply-chain", "termncolor", "zulip" ], "related_entities": { "attack_patterns": [ { "id": "045efc1e-cfa0-4e6e-b4cb-0e6c8dae4f62", "name": "T1085" }, { "id": "b63bc0df-8e11-42ed-a9a9-13e19b148dbf", "name": "T1073" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ] }, "external_refs": [ "https://www.zscaler.com/blogs/security-research/supply-chain-risk-python-termncolor-and-colorinal-explained", "https://otx.alienvault.com/pulse/689fe4b4890a6b508d564827" ] }