MAL-2025-5102

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/coloraiz/MAL-2025-5102.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-5102

Aliases

SNYK-PYTHON-COLORAIZ-10305008

Published

2025-05-16T10:10:16Z

Modified

2026-03-19T12:51:56.740830Z

Summary

Malicious code in coloraiz (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (dc4606b3e3f05632a889906f4c259e329a08308382fbc27329752eb8ea6a6c3c)

The package imitates colorama, and places a proxy object over the original colorama module that on every usage executes a remote code. The remote script installs a backdoor through legitimate tunnelling software and upload access credentials to the attacker.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-05-coloraiz

Reasons (based on the campaign):

impersonation
clones-real-package
action-hidden-in-lib-usage
backdoor
Downloads and executes a remote malicious script.

Database specific

{
    "iocs": {
        "urls": [
            "https://mp14dea413c69b2bf527.free.beeceptor.com/code"
        ],
        "domains": [
            "free.beeceptor.com"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "RLMA-2025-02999",
            "import_time": "2025-06-18T15:05:59.893976682Z",
            "sha256": "9ea259f4f90a9ba1877acd31cdbe71bc8600e20a2cb9b83ba830cbac7df1ce4b",
            "source": "reversing-labs",
            "modified_time": "2025-06-18T10:15:04Z",
            "versions": [
                "1.0.1",
                "1.0.2",
                "1.0.3"
            ]
        },
        {
            "id": "RLUA-2025-03566",
            "import_time": "2025-08-01T10:41:34.878864893Z",
            "sha256": "1a7ffe6fe6d8fd9746f01735fc68e8d4a9d8bd7ab89a54c16b6a7e1bebcf8b5e",
            "source": "reversing-labs",
            "modified_time": "2025-07-31T19:14:36Z"
        },
        {
            "id": "pypi/2025-05-coloraiz/coloraiz",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.05547489Z",
            "sha256": "6a81e133153e897e581658ea617c5256010587413cda88c2b6670c127291e39e",
            "source": "kam193",
            "modified_time": "2025-05-16T10:10:16Z"
        },
        {
            "id": "pypi/2025-05-coloraiz/coloraiz",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.065995073Z",
            "sha256": "dc4606b3e3f05632a889906f4c259e329a08308382fbc27329752eb8ea6a6c3c",
            "source": "kam193",
            "modified_time": "2025-05-16T10:10:16Z"
        },
        {
            "id": "pypi/2025-05-coloraiz/coloraiz",
            "import_time": "2025-12-10T21:38:57.357178826Z",
            "sha256": "a9c7340f11b6c6b930c65d277226188952f3c0d49712726a4d9e78113ad152d4",
            "source": "kam193",
            "modified_time": "2025-05-16T10:10:16Z",
            "versions": [
                "1.0.2",
                "1.0.1",
                "1.0.3"
            ]
        },
        {
            "id": "pypi/2025-05-coloraiz/coloraiz",
            "import_time": "2025-12-30T22:39:04.055034198Z",
            "sha256": "4f1b59ad5f047d550901ab3a30b5d6f663fea92b8ff764d6c327165b6a156363",
            "source": "kam193",
            "modified_time": "2025-05-16T10:10:16Z",
            "versions": [
                "1.0.1",
                "1.0.2",
                "1.0.3"
            ]
        },
        {
            "id": "RLUA-2026-00207",
            "import_time": "2026-03-19T12:19:34.637503163Z",
            "sha256": "1e4bed8653ea80abff62d06ad621c9ca63f0b99aab9110b98f2b1ae2c5b08ee0",
            "source": "reversing-labs",
            "modified_time": "2026-03-18T12:12:39Z"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / coloraiz

Package

Name: coloraiz; View open source insights on deps.dev
Purl: pkg:pypi/coloraiz

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

1.0.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/coloraiz/MAL-2025-5102.json"