The package code begins with the manual installation of additional requirements, then it loads the image from the IMGUR image exchange service and uses the installed package for image processing and generated output.
Two packages are set to manually: Request (a popular auxiliary bag for using the API) and Judyb. The Judyb code is a module of Steganography, responsible for concealing and identifying hidden messages inside the pictures. Check Point Research suspects that the image loaded during the Apicolor installation may contain hidden malicious code inside itself.
In this attack, the JUDYB package is used to extract a Python outfielded code, built into a loaded image, which after decoding removes and launches a malicious binary file from a remote server.
Development is part of the ongoing attacks in which attackers use open source tools to use users’ trust to organize attacks on the supply chain. It is more anxious that such malicious libraries can be included in other Open Source projects and published on GitHub, which expands the capabilities and scale of attacks.