npm's 'colors' Package Targeted in Malicious Typosquatting Attacks
npm, the package manager for JavaScript, has faced a series of malicious typosquatting attacks. The 'colors' package, with 20 million weekly downloads, was targeted, leading to potential security risks for many open-source projects.
In November 2021, attackers attempted to exploit the 'colors' package by publishing malicious versions like 'colors-2.0.0' and 'colors-2.0'. These were later removed by npm. Some versions contained unobfuscated code with Discord Webhook URLs, confirming the findings.
Multiple malicious npm packages, including 'colorsss', 'grabbir', 'nocuzune', and 'wixdev2022-1', were published by unknown threat actors. They used the domain '62.113.122.13' to establish a TCP reverse shell access. These packages contained Discord token stealers and code that accessed browser 'leveldb' files. One package, 'wixdev2022-1', contained a Busybox Linux executable that connected to xhc[.]vg.
Last year, PyPI removed a malicious fork of 'mitmproxy', mitmproxy2, which had an artificially introduced code execution vulnerability. The 'colors' package was also sabotaged by its developer, causing it to print zalgo text incessantly.
These malicious packages are named to appear as newer versions of the official 'colors' library, confusing developers. Sonatype Repository Firewall users are protected from such malicious packages, as they are automatically blocked and quarantined. Sonatype's Repository Firewall has detected malicious npm packages, including 'colors2.0', 'colors-2.2.0', and 'colorsss'.
Read also:
- Trump and Xi speak over the phone, according to China's confirmation.
- NVIDIA introduces Blackwell to the cloud and unveils the significant enhancement of GeForce Now at Gamescom 2025, marking a major step in cloud gaming technology.
- Strategies for Adhering to KYC/AML Regulations in India, a Leading Fintech Center (2024)
- Strategies for Poland, Ukraine, and NATO to combat unmanned Russian aerial threats.
