Checkmarx Zero researcher Ariel Harush has discovered evidence of a malicious package campaign that is consistent with live adversarial activity and adversarial research and testing. This campaign targets Python and NPM users on Windows and Linux via typo-squatting and name-confusion attacks against colorama (a widely-used Python package for colorizing terminal output) on PyPI and the similar colorizr JavaScript package on NPM. These malicious packages were uploaded to PyPI.

• Multiple packages uploaded to PyPI with significantly risky payloads were uploaded with names similar to legitimate packages in both PyPI and NPM.
• The tactic of using the name from one ecosystem (NPM) to attack users of a different ecosystem (PyPI) is unusual.
• Payloads allow persistent remote access to and remote control of desktops and servers, as well as harvesting and exfiltrating sensitive data.
• Windows payloads attempt to bypass antivirus/endpoint protection controls to avoid detection.
• Packages have been removed from public repositories, limiting immediate potential for damage.
  These behaviors are consistent with targeted adversarial activity and coordinated campaigns. It is likely, based on this pattern, that these were created either to attack a particular target or set of targets. No clear attribution data is currently available, so we do not know whether this campaign is connected to a well-known adversary.

Cross-Platform Supply Chain Attacks Targeting Users of