{"id":"MAL-2025-5103","summary":"Malicious code in coloramapkgs (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (c7f00bfa67a0d8743c0d46766e677dce5d28db461505c662fcb8cd9efc4b2417)\nImporting the module starts download and running a remote executable, identified as malware by AVs\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-05-coloramashowtemp \n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n","aliases":["SNYK-PYTHON-COLORAMAPKGS-10305012"],"modified":"2026-03-19T12:51:51.780988Z","published":"2025-05-18T00:05:16Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-06-18T15:06:00.021237243Z","versions":["0.1.0"],"source":"reversing-labs","sha256":"efc88346f3157cc7360fc21a7ca23c80fb5b85449a1d9d032da0663226bb574a","id":"RLMA-2025-03000","modified_time":"2025-06-18T10:15:04Z"},{"import_time":"2025-08-01T10:41:34.939717972Z","source":"reversing-labs","sha256":"d25a2fe2e2d149f4e4b6a8e845af645d3c010746046697df3cfab153efbd03cc","id":"RLUA-2025-03567","modified_time":"2025-07-31T19:14:37Z"},{"import_time":"2025-12-02T22:30:55.056289161Z","source":"kam193","sha256":"8e056102962434c232d56b9bf1f5f796b05ee736e5e5dbd8db83c5e875a39118","modified_time":"2025-05-18T00:05:16Z","id":"pypi/2025-05-coloramashowtemp/coloramapkgs","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-02T23:07:18.066852143Z","source":"kam193","sha256":"c7f00bfa67a0d8743c0d46766e677dce5d28db461505c662fcb8cd9efc4b2417","modified_time":"2025-05-18T00:05:16Z","id":"pypi/2025-05-coloramashowtemp/coloramapkgs","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-10T21:38:57.358120712Z","versions":["0.1.0"],"source":"kam193","sha256":"b8b99a3de6ecc503a82a203de6604ca200c1f3402853c072b6b0a6e03a9bb29d","id":"pypi/2025-05-coloramashowtemp/coloramapkgs","modified_time":"2025-05-18T00:05:16Z"},{"import_time":"2026-03-19T12:19:34.758838064Z","source":"reversing-labs","sha256":"0b9255fa5393c8379097e4cd11c56ea783637fa444563e90b7cb5826242abbdd","id":"RLUA-2026-00208","modified_time":"2026-03-18T12:12:39Z"}],"iocs":{"urls":["https://raw.githubusercontent.com/s7bhme/gg/refs/heads/main/x69gg.exe","https://github.com/s7bhme/gg/raw/refs/heads/main/x69gg.exe","https://github.com/s7bhme/sada/raw/refs/heads/main/x69.exe"]}},"references":[{"type":"WEB","url":"https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama"},{"type":"ADVISORY","url":"https://security.snyk.io/vuln/SNYK-PYTHON-COLORAMAPKGS-10305012"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/coloramapkgs"}],"affected":[{"package":{"name":"coloramapkgs","ecosystem":"PyPI","purl":"pkg:pypi/coloramapkgs"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/coloramapkgs/MAL-2025-5103.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}