Malicious PyPI Packages Detected: Stealing Keystrokes and Hijacking Accounts

Cybersecurity researchers from Fortinet FortiGuard Labs have identified two malicious packages—zebo and cometlogger—on the Python Package Index (PyPI). Before being taken down, these packages were downloaded 118 and 164 times, primarily in the United States, China, Russia, and India.

Key Findings

Zebo

• Purpose: Surveillance, data theft, and system control.
• Techniques: Obfuscation with hex-encoded strings to hide its command-and-control (C2) server URL. Uses the pynput library for keystroke logging and ImageGrab to capture hourly screenshots, which are uploaded to ImgBB. Creates persistence by adding a batch script to the Windows Startup folder.

Cometlogger

• Purpose: Data exfiltration on a wider scale.
• Capabilities: Steals cookies, passwords, tokens, and account details from platforms like Discord, Instagram, TikTok, and Steam. Collects system metadata, Wi-Fi details, clipboard content, and running process information. Bypasses detection with anti-virtual machine checks and forcibly terminates browser processes to access files without restriction. Asynchronously executes tasks for high-speed data theft.

Recommendations

• Avoid downloading and executing scripts from unverified sources.
• Scrutinize the code of any third-party packages before use.
• Regularly monitor systems for unusual behavior and unauthorized access attempts.

This incident highlights the importance of vigilance when using open-source repositories. The growing sophistication of malicious packages calls for enhanced security practices and awareness.