As our hunt against malicious Python packages continues, Imperva Threat Research recently discovered an attempt to masquerade Fade Stealer malware as a nondescript package, Colorama. Why Colorama? Colorama is a package used by developers to add color and style to their text in terminal outputs. Figure 1: Genuine Colorama package Colorama is number 44 in the top downloaded PyPi packages in the last month, which makes it a great candidate for attackers to create malicious copies in an effort to fool innocent developers. Figure 2: ‘Colorama’ popularity There have been several attempts to masquerade the ‘colorama’ package in the last year, by using typosquatting, such as: ‘colarama’, ‘colourama’, ‘colorama-api’, etc. Figure 3: Masquerade packages of ‘Colorama’ While browsing the internet, we came across several blog posts—including those from Inedo, Sonatype, and Phylum—discussing different packages masquerading as the Colorama package. Our Findings Our journey started with the ‘colarama-api’ package, which was discovered by our detection system. A file called ‘setup.py’ triggered the alert, and the metadata caught our attention. Several fields (marked in red below) attempted to gain the trust of the users by mentioning the legitimate author of the package. Figure 4: ‘colarama-api’ metadata from setup.py The second thing that we observed was the import of the base64 decode and request libraries, along with a Discord webhook reference. These were suspicious because they are not…Read More