Sonatype uncovers further malicious PyPI and npm packages

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


Sonatype continues to uncover a significant number of malicious packages within the PyPI and npm software registries.

Among the flagged packages were several Python packages published on PyPI, masquerading as legitimate libraries named after the popular npm “colors” library.

The malicious packages, including names such as “broke-rcl,” “brokescolors,” and “trexcolors,” exclusively targeted the Windows operating system. Once installed, these packages would initiate the download and execution of a trojan hosted on Discord’s servers.

Sonatype promptly reported these findings to PyPI, resulting in the removal of the malicious packages and the associated user account.

Another malicious package, “trexcolors,” which was also named after the npm “colors” library, was discovered to download and execute a trojan known as “trex.exe” upon installation.

This trojan, detected by VirusTotal, functions as an information stealer and incorporates evasion techniques to impede analysis and reverse engineering efforts.

Cross-platform malware: Libiobe

In addition to the aforementioned packages, Sonatype identified a PyPI package named “libiobe,” likely inspired by the legitimate library “iobes.”

Unlike the Windows-specific packages, “libiobe” targeted both Windows and Unix operating systems.

On Windows, the package deployed a trojan-infected executable, named “V0d220823bb829d3fcc62d10adf.exe,” which was concealed within the source code as a base64-encoded string.

Conversely, on Linux/Unix systems, a minified Python code, also base64-encoded, executed and sent system fingerprinting data to a Telegram endpoint.

Obfuscated code: FNBOT2, TAGADAY, and ZUPPA

In addition to the PyPI and npm packages imitating the “colors” library, Sonatype’s analysis unveiled obfuscated code in packages named FNBOT2, TAGADAY, and ZUPPA.

These packages employed a similar pattern observed in previous instances of cryptominer attacks, utilising six variables named magic, love, god, destiny, joy, and trust.

The obfuscation technique employed is commonly facilitated by online tools, such as the one provided by development-tools.net.

Sonatype’s discovery of these malicious packages highlights the persistent threats faced by open-source software registries like PyPI and npm. Although the identified packages may not introduce novel payloads or tactics, they serve as a reminder of the ongoing attempts by malicious actors to exploit vulnerabilities in open-source ecosystems.

(Photo by Alex Chumak on Unsplash)

Related: PyPI suspends new projects and users due to malicious activity

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The event is co-located with Digital Transformation Week.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *