Colourama

October 2018 the PyPI repo is found tainted again. Colourama, when run on Windows servers, adds a script which monitors the server’s clipboard for signs that a user is about to make a cryptocurrency payment and if so, diverts the payments from the wallet address contained in the clipboard to an attacker-owned wallet. Bertus reports it has probably been downloaded 55 times, and is possibly in use in software that has incorporated it.

  • Uninstalling the colourama package is a very good idea.
  • Uninstalling it does not stop or remove the dropped VBScript. Bertus recommends:
    • Delete the VBScript installed in PROGRAMDATA under \Microsoft Essentials\Software Essentials.vbs.
    • Delete the Microsoft Software Essentials registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
    • Stop the associated process — it will likely show up as wscript in the process list, or alternatively restart the machine.