Cybersecurity researchers at Fortinet have uncovered two malicious packages slithering within the Python Package Index (PyPI), ready to strike unsuspecting users. Dubbed “zebo” and “cometlogger,” these packages were downloaded hundreds of times before being yanked from the repository, with a majority of the victims residing in the United States, China, Russia, and India.
The zebo package employs obfuscation techniques, such as encoding strings in hexadecimal format, to conceal the URL of its command-and-control (C2) server. Its functionalities include keystroke logging via the pynput library and capturing hourly screenshots using ImageGrab.
Captured images are stored locally before being uploaded to the free image-hosting service ImgBB through an API key obtained from the C2 server. To ensure persistence, zebo creates a script that adds itself to the Windows startup sequence.
Cometlogger, on the other hand, is a more sophisticated tool. It is capable of stealing cookies, passwords, tokens, and account details from widely-used applications such as Discord, Steam, Instagram, X, TikTok, Reddit, Twitch, Spotify, and Roblox. Additionally, it gathers system metadata, network and Wi-Fi information, a list of running processes, and clipboard contents.
To mask its activities, cometlogger detects virtualized environments and terminates processes related to browsers to gain unrestrained access to files. Its asynchronous task execution allows it to extract substantial amounts of data in minimal time.
Fortinet researchers urge users to exercise extreme caution when downloading packages from PyPI, and always scrutinize code before execution and stick to verified sources.
Related Posts:
- PyPI Poisoned: 116 Malicious Packages Target Windows and Linux
- PyPI’s New Rule: 2FA Verification for All Project Maintainers
- Python’s New Threat: Malicious PyPI Packages Targeting Linux Devices
- Malicious Update in Python Crypto Library Targets Private Keys via Telegram
- PyPI Packages Leak User Data to Telegram Bot, Iraqi Cybercriminals Suspected
