Fade Stealer Malware Sneaks into PyPI Disguised as Colorama

Fade Stealer
‘Colorama’ popularity

In the vast and interconnected world of software development, the Python ecosystem stands out for its accessibility and extensive library support. However, this strength also brings vulnerabilities. Recently, Imperva Threat Research shone a light on a sophisticated threat lurking within a poisoned package masquerading as the benign Colorama, revealing a sinister attempt to compromise developer trust and integrity.

Colorama, a beloved tool for adding flair to terminal outputs, found itself at the center of a cyber deception. Ranked as one of the most downloaded packages, its popularity made it an attractive target for attackers. Utilizing typosquatting, a tactic where malicious packages are named similarly to popular ones, attackers launched impostors like “colarama” and “colorama-api” into the wild, hoping to ensnare unwary developers.

‘Colorama’ popularity

The journey began with the detection of “colarama-api,” where peculiarities within the “setup.py” file raised alarms. The presence of base64 decode and request libraries, alongside a Discord webhook reference, were out of place, hinting at the malicious intent lurking beneath the surface. This reveals a network of poisoned packages aiming to compromise user data.

The mention of “Fade Stealer” within the setup.py code unraveled the intentions behind these deceptive packages. Targeting Windows users, this malware sought to pilfer sensitive information from various platforms, including social media and gaming sites. Employing evasion techniques like Leet (sometimes written as “1337” or “l33t”) to dodge detection, the attackers showcased a sophisticated understanding of cybersecurity countermeasures. Their methods didn’t stop at stealth; they aggressively terminated processes to access locked files, leaving no stone unturned in their quest for data.

The cunning blend of “Fade Stealer” with typosquatting presented a novel challenge, reminding us of the importance of being careful. Developers are urged to scrutinize package names, authors, and metadata, while repository maintainers play a crucial role in safeguarding the ecosystem against such insidious threats.