Which versions of colourfulls are malicious?

The following PyPI versions of colourfulls are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate colourfulls if I installed it?

colourfulls is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed colourfulls — how do I know if it already compromised me?

If colourfulls was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is colourfulls part of a known attack campaign?

Yes — colourfulls is associated with the 2024-08-old-colourfulls campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find colourfulls across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for colourfulls (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging colourfulls across your stack and pipelines.

Malicious package

colourfullsPyPI

Malicious code in colourfulls (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-12246

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall colourfulls

What this malware does

Once imported, the module attempts to download an executable, put into Discord directory and most probably trick discord to start it. The download link does not work any more, so it's not possible to say what exactly the remote file did.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-08-old-colourfulls

Reasons (based on the campaign):

Downloads and executes a remote executable.
typosquatting

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

05361e9ae5d4e524b74277f42f1c642e882e424fa5b7b2960f3f40f54ae65de8

735ca3ff38b76e7b11c1f7b884880871427299042e250bb42e17dcf66b8c8e11

2359e28fa8ea5029c6a3a151b7ca29437b37c223577a3a9e503197488ba46cc2

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for colourfulls (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging colourfulls across your stack and pipelines.
If you installed it — respond
colourfulls is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If colourfulls was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks colourfulls before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. colourfulls on PyPI has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2024-08-old-colourfulls

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)

Detect & block this

O3 blocks colourfulls-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring