Introduction

Open-source software repositories such as PyPI and npm remain popular entry points for cybercriminals exploiting supply chain dependencies. Recently, researchers discovered malicious packages designed to execute multi-stage malware, establish persistence, and exfiltrate sensitive data.

At CyberTech Nexus, we recognize that such attacks highlight the urgent need for supply chain security assessments, continuous monitoring, and strong incident response frameworks. Our consultancy is committed to helping businesses and individuals protect themselves from these emerging risks.

The Discovery

Researchers identified a malicious Python package named termncolor, which imported a dependency called colorinal. Together, they enabled:

• DLL side-loading for decryption and execution of malicious payloads.
• Persistence mechanisms via Windows registry Run keys.
• System information harvesting and covert C2 communication using the Zulip chat platform.
• A Linux variant that drops a malicious shared object file (terminate.so).

Our Services Applied:

• IT & Cybersecurity Consultancy: Advising organizations on secure coding practices and open-source dependency management.
• Security Audits & Vulnerability Assessments: Identifying malicious or vulnerable packages before integration.
• Penetration Testing: Simulating supply chain compromise to measure resilience.

Expanding Threats in npm Packages

Further investigations revealed booby-trapped npm packages distributed under the guise of job assessments and proof-of-concept exploits. These were capable of:

• Harvesting iCloud Keychain, browser, and cryptocurrency wallet data
• Running Python scripts, scanning file systems, and stealing credentials
• Logging keystrokes, taking screenshots, and monitoring clipboard content

Our Services Applied:

• Password Security & Personal Data Security: Protecting stored credentials and sensitive files from theft.
• Cybersecurity Solutions for Individuals & Businesses: Deploying endpoint protection and monitoring solutions.
• Managed Security Services (MSS): Providing 24/7 detection of abnormal activity.

The Supply Chain Security Challenge

The attack on the eslint-config-prettier npm package demonstrates how even automated dependency management tools like Dependabot can be manipulated to push malicious updates without scrutiny. Over 14,000 projects were exposed due to incorrect dependency declarations.

Our Services Applied:

• Compliance & Regulatory Services: Ensuring organizations align with secure development lifecycle standards (ISO 27001, NIST).
• Cyber Protection Academy: Training developers and engineers on secure package management.
• Incident Response & Recovery: Containing and remediating compromised environments quickly.

Threat Actor Insights

Analysis revealed that the actors behind these campaigns:

• Used Zulip-based C2 communication to evade detection.
• Exchanged nearly 91,000 private messages within their malicious network.
• Have been active since July 2025, with activity increasing steadily.

Conclusion

The discovery of termncolor, colorinal, and malicious npm packages highlight the critical need for robust supply chain defense strategies. Attackers are becoming increasingly sophisticated, using legitimate services (Dropbox, Zulip, GitHub) to mask malicious intent.

At CyberTech Nexus, we provide:
Proactive consultancy to secure your development pipeline.
Audits & penetration testing to identify vulnerabilities early.
Incident response & recovery when attacks occur.
Managed security services for continuous monitoring.
Training & compliance support to strengthen your workforce. Whether you are a developer, business, or individual, protecting your digital assets requires strategic defense, rapid response, and continuous security awareness.