{"id":"MAL-2025-5126","summary":"Malicious code in readmecolorama (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (4f74e374afe61cdaa52e0c651ae413abc94b50cd15de263a9d247de21bfc6fa1)\nImporting the module starts download and running a remote executable, identified as malware by AVs\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-05-coloramashowtemp \n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n","aliases":["SNYK-PYTHON-READMECOLORAMA-10305013"],"modified":"2026-03-19T12:56:15.108707Z","published":"2025-05-18T00:05:16Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2025-06-18T10:15:18Z","id":"RLMA-2025-03023","source":"reversing-labs","import_time":"2025-06-18T15:06:02.421579205Z","sha256":"7cad9d6c1364c940f087a52f3136ddbcd1e2e7e9118de880284237a1d839055f","versions":["0.1.0"]},{"modified_time":"2025-07-31T19:16:15Z","id":"RLUA-2025-03673","source":"reversing-labs","import_time":"2025-08-01T10:41:35.405563504Z","sha256":"c0f43da6669cf9a48e88ad211fe0d2db630c4e94668c3a1feb12d5fef4db7d53"},{"modified_time":"2025-05-18T00:05:16Z","id":"pypi/2025-05-coloramashowtemp/readmecolorama","source":"kam193","import_time":"2025-12-02T22:30:55.523169522Z","sha256":"55c2f9671efb3bc3772a29971fae2313022349abe5970a426c36e305e5c25538","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"modified_time":"2025-05-18T00:05:16Z","id":"pypi/2025-05-coloramashowtemp/readmecolorama","source":"kam193","import_time":"2025-12-02T23:07:18.560025246Z","sha256":"4f74e374afe61cdaa52e0c651ae413abc94b50cd15de263a9d247de21bfc6fa1","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"modified_time":"2025-05-18T00:05:16Z","id":"pypi/2025-05-coloramashowtemp/readmecolorama","source":"kam193","import_time":"2025-12-10T21:38:57.769232589Z","sha256":"f19060de81fafe38f1b4cb199a4b1e81561dfb03f5b7138a0bc48c6654f3c929","versions":["0.1.0"]},{"modified_time":"2026-03-18T12:18:03Z","id":"RLUA-2026-00690","source":"reversing-labs","import_time":"2026-03-19T12:20:20.972103929Z","sha256":"8c7bf735728e56da8fed531f236ac6f6b4cad05c269cd4591e9268f11c421e5c"}],"iocs":{"urls":["https://raw.githubusercontent.com/s7bhme/gg/refs/heads/main/x69gg.exe","https://github.com/s7bhme/gg/raw/refs/heads/main/x69gg.exe","https://github.com/s7bhme/sada/raw/refs/heads/main/x69.exe"]}},"references":[{"type":"WEB","url":"https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama"},{"type":"ADVISORY","url":"https://security.snyk.io/vuln/SNYK-PYTHON-READMECOLORAMA-10305013"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/readmecolorama"}],"affected":[{"package":{"name":"readmecolorama","ecosystem":"PyPI","purl":"pkg:pypi/readmecolorama"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/readmecolorama/MAL-2025-5126.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}