- A single typo could let hackers hijack your system using malware hidden in fake packages
- Cross-platform malware now fools even experienced developers by mimicking trusted open source package names
- Attackers are exploiting developer trust with stealthy payloads that dodge malware protection tools
A new supply chain attack has revealed how something as innocuous as a typo can open the door to serious cybersecurity threats, experts have warned.
A report from Checkmarx claims malicious actors are using clever tricks to deceive developers into downloading fake packages, which can then give hackers control of their systems.
The attackers primarily target users of Colorama, a popular Python package, and Colorizr, a similar tool used in JavaScript (NPM).
Deceptive packages and the threat of typos
“This campaign targets Python and NPM users on Windows and Linux via typosquatting and name-confusion attacks,” said Ariel Harush, a researcher at Checkmarx.
The attackers use a technique called typosquatting. For example, instead of “colorama,” a developer might accidentally type “col0rama” or “coloramaa” and download a harmful version.
These fake packages were uploaded to the PyPI repository, which is the main source of Python libraries.
“We’ve found malicious Python (PyPI) packages as part of a typosquatting campaign. The malicious packages allow for remote control, persistence, etc.,” said Darren Meyer, Security Research Advocate at Checkmarx.
What makes this campaign unusual is that the attackers mixed names from different ecosystems, useing names from the NPM world (JavaScript) to trick Python users.
This cross-platform targeting is rare and suggests a more advanced and potentially coordinated strategy.
The Windows and Linux payloads have similar upload timings and naming but use different tools, tactics, and infrastructure, which means they may not be from the same source.
Once installed, the fake packages can do serious damage – on Windows systems, the malware creates scheduled tasks to maintain persistence and harvest environment variables, which could include sensitive credentials.
It also attempts to disable even the best antivirus software using PowerShell commands like Set-MpPreference -DisableIOAVProtection $true.
On Linux systems, packages like Colorizator and coloraiz carry encoded payloads to create encrypted reverse shells, communicate via platforms like Telegram and Discord, and exfiltrate data to services like Pastebin.
These scripts are not executed all at once; they are designed for stealth and persistence, using techniques like masquerading as kernel processes and editing rc.local and crontabs for automatic execution.
Though the malicious packages have been removed from public repositories, the threat is far from over.
Developers should be very careful when installing packages because even the best endpoint protection platforms struggle with these evasive tactics. Always double-check the spelling and make sure the package comes from a trusted source.
Checkmarx recommends that organizations audit all deployed and deployable packages, proactively examine application code, scrutinize private repositories, and block known malicious names.
