Supply Chain Risk In Python: Termncolor And Colorinal Explained
Zscaler, Thursday, August 14th, 2025
Zscaler ThreatLabz continually monitors threats in our Python scanning database, uncovering risks that may signal potential supply chain attacks.
On July 22, 2025, ThreatLabz encountered a suspicious Python package named termncolor, which at first glance appeared benign but actually introduced malicious behavior through its dependency, colorinal.
In this blog post, ThreatLabz dives into termncolor and its role in enabling a multi-stage malware operation. This attack could leverage DLL sideloading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication, ending in remote code execution (RCE). Our analysis offers a detailed breakdown of the package, the malware's potential attack chain, and the final payload. Notably, the packages examined in this research have since been removed from the Python Package Index (PyPI).