Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Experts Identify Fully-Featured Info Stealer and Trojan in Python Package on PyPI

Mar 02, 2023Ravie LakshmananSoftware Security / CodingSec

A malicious Python package uploaded to the Python Package Index (PyPI) has been found to contain a fully-featured information stealer and remote access trojan.

The package, named colourfool, was identified by Kroll’s Cyber Threat Intelligence team, with the company calling the malware Colour-Blind.

“The ‘Colour-Blind’ malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others,” Kroll researchers Dave Truman and George Glass said in a report shared with The Hacker News.

colourfool, like other rogue Python modules discovered in recent months, conceals its malicious code in the setup script, which points to a ZIP archive payload hosted on Discord.

The file contains a Python script ( that comes with different modules designed to log keystrokes, steal cookies, and even disable security software.

The malware, besides performing defense evasion checks to determine if it’s being executed in a sandbox, establishes persistence by means of a Visual Basic script and uses transfer[.]sh for data exfiltration.

“As a method of remote control, the malware starts a Flask web application, which it makes accessible to the internet via Cloudflare’s reverse tunnel utility ‘cloudflared,’ bypassing any inbound firewall rules,” the researchers said.

The use of Cloudflare tunnels mirrors another campaign that was disclosed by Phylum last month which made use of six fraudulent packages to distribute a stealer-cum-RAT dubbed poweRAT.

“There are strong similarities between the malware in that they both use Flask and Cloudflare,” Truman told The Hacker News. “However, whilst the Phylum researched malware relies on PowerShell for much of its key functionality, ‘Colour-Blind’ is nearly entirely written in Python.”

“Combine this with the functionality presented by the Flask web application performing different actions, rather than the newer malware adding to the functionality of the older, it could mean that the relationship is more in the form of the different threat actors sharing ideas, resources or code, rather than an evolution of a code base being developed by a single actor,” Truman added.

The trojan is feature rich and is capable of gathering passwords, terminating applications, taking screenshots, logging keystrokes, opening arbitrary web pages on a browser, executing commands, capturing crypto wallet data, and even snooping on victims via the web camera.

The findings come as threat actors are leveraging the source code associated with W4SP stealer to spawn copycat versions that are distributed via Python packages like ratebypass, imagesolverpy, and 3m-promo-gen-api.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!


What’s more, Phylum discovered three additional packages – called pycolured, pycolurate, and colurful – that have been used to deliver a Go-based remote access trojan referred to as Spark.

Adding to the attacks targeting PyPI, the software supply chain security firm also revealed details of a massive attack campaign wherein unknown threat actors published as many as 1,138 packages to deploy a Rust executable, which is then used to drop additional malware binaries.

“The risk/reward proposition for attackers is well worth the relatively minuscule time and effort, if they can land a whale with a fat crypto wallet,” the Phylum research team said.

“And the loss of a few bitcoin pales in comparison to the potential damage of the loss of a developer’s SSH keys in a large enterprise such as a corporation or government.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari, the renowned Italian luxury car manufacturer, suffered a cyber incident that compromised the company’s client data. According to a…
ChatGPT Bug Exposes Conversation History Titles

ChatGPT Bug Exposes Conversation History Titles

A ChatGPT user on Reddit first reported the bug after noticing Chinese language characters in the title of their conversation…
Breach Forums to Remain Offline Permanently

Breach Forums to Remain Offline Permanently

The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum…