Malicious Package Affecting colorinal package, versions [0,]
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-COLORINAL-12179377
- published25 Aug 2025
- disclosed25 Aug 2025
- creditManisha Ramcharan Prajapati, Satyam Singh
Introduced: 25 Aug 2025
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the colorinal package.
Overview
colorinal is a malicious package. This package is part of a multi-stage attack and its content was removed from the official package manager. The attack utilizes a seemingly harmless package to introduce a malicious dependency. The goal of this attack is to gain remote code execution on the compromised system.
The malicious code loads a DLL file that decrypts and executes a hidden payload, which in turn drops two files onto the system: a legitimate executable vcpktsvr.exe and another malicious DLL libcef.dll.
The legitimate executable is then used to sideload the malicious DLL, which collects system information and communicates with a command-and-control (C2) server. The malware also creates a registry entry to ensure it runs every time the system starts.