Package names repurposed to push malware on PyPI
24-Apr-23
Researchers from ReversingLabs discovered termcolour, a three-stage downloader with numerous variants, as a malicious package on the Python Package Index (PyPI) around the beginning of March. It wasn’t hard to locate this dangerous payload, but its name caught our attention. It wasn’t a brand-new package, termcolour. In actuality, it had been added to PyPI two years prior, only to be taken down.
Beginning in March, it resurfaced on PyPI, this time as a malicious downloader. It has happened that abandoned projects have been given to new owners or that brand-new packages have adopted the names of earlier, defunct modules. These modules are valid and benign in the great majority of cases. However, supply chain attacks against software are becoming more common.
