Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

August 18, 2025
No Comments

Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution.
The package, named termncolor, realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler

Leave a Reply Cancel reply

Managing Third-Party Security Risks in Education August 15, 2025
In December 2024, PowerSchool — one of North America’s most widely used student information systems — disclosed a breach that affected millions of students and educators. Hackers gained access using a compromised password and remained undetected for nine days, exposing sensitive personal information, including Social Security numbers and medical histories. This wasn’t just a system […]
Zac Amos
Canadian Parliament Hit by Cyberattack, Investigation Underway August 15, 2025
The House of Commons and Canada’s cybersecurity agency are investigating a significant breach of parliamentary employee data, CBC News reports. An internal email to CBC staff on Monday 11 August said a malicious actor exploited a recent Microsoft vulnerability to gain unauthorized access to a database used to manage computers and mobile devices. The data […]
Kirsten Doyle
Credential Theft and Data Exfiltration Lead Modern Ransomware Threats August 15, 2025
Ransomware and infostealer threats are evolving faster than most organizations can keep pace. Security teams have invested heavily in backup and recovery systems, yet today’s most damaging attacks often bypass encryption altogether. Picus Security’s Blue Report 2025 uncovered a shift: threat actors are targeting credential theft, data exfiltration, and lateral movement, founded on stealth and […]
Kirsten Doyle
Why upskilling must be a strategic priority for UK tech organisations August 14, 2025
The UK tech sector stands at a crossroads. On one hand, we are seeing ambitious investments in emerging technologies, particularly AI, cloud computing, and cybersecurity. On the other hand, a significant disconnect grows between the pace of innovation and the digital capabilities of the current workforce. According to a 2024 study by the University of […]
Alexia Pedersen
Six New Windows Vulnerabilities Found, Including First Rust-Based Kernel Flaw August 14, 2025
Six new vulnerabilities have been found in Microsoft Windows. One is critical. All are serious. Check Point Research discovered the flaws and disclosed them privately to Microsoft. Patches were released on 12 August as part of Patch Tuesday. The risks are varied: system crashes, arbitrary code execution, and information leaks. For attackers, the attack surface […]
Kirsten Doyle
The Real Purpose of the UK’s Online Safety Act: An Expert Explains August 13, 2025
The introduction of the UK’s Online Safety Act has sparked a lot of conversation and confusion. Both users and businesses are still trying to make sense of what it really means and how to navigate it. Professor George Loukas, Professor of Cyber Security (Human-centric and Cyber-physical Security) at the University of Greenwich, is here to […]
Dilki Rathnayake
Empowering Citizen Developers Without Compromising Security August 13, 2025
Thanks to no-code tools, citizen application development platforms (CADPs) are ushering in a new era where business units are no longer waiting in IT backlogs for application support—they’re building their own. Employees without coding skills are creating business applications, workflow automations, and integrations with a few clicks. According to Gartner, citizen developers will contribute up […]
Yair Finzi
Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images August 13, 2025
In March last year, an insidious software supply chain compromise was revealed. The discovery of a backdoor in XZ Utils shook the cybersecurity world, thanks to its technical sophistication and for the bad actor’s methodical patience. A developer known as “Jia Tan” had spent two years earning trust in the XZ Utils project. The code […]
Kirsten Doyle
Erlang/OTP SSH Flaw Actively Exploited in OT Networks August 13, 2025
A critical flaw in Erlang’s Open Telecom Platform is under active attack. CVE-2025-32433 carries a CVSS score of 10.0 and allows remote code execution without authentication. According to Palo Alto’s Unit 42 reseachers, it affects the platform’s native SSH daemon, used to manage hosts in telecom, 5G, and industrial systems. Bad actors can send specific […]
Kirsten Doyle
Breach at Dutch Lab Exposes Data of 485,000 in Cervical Cancer Screening August 12, 2025
A breach at a Dutch laboratory has exposed the personal and medical data of more than 485,000 women in the national cervical cancer screening programme. The attack hit Clinical Diagnostics NMDL, a Eurofins subsidiary in Rijswijk. The lab tests self-sample kits and smear test samples for Bevolkingsonderzoek Nederland (Population Research Netherlands). Bad actors accessed names, […]
Kirsten Doyle

Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

Wazuh for Regulatory Compliance

⚡ Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More

Leave a Reply Cancel reply

[email protected]

Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

Share :

Leave a Reply Cancel reply