Researchers Uncover Malicious PyPI Packages Targeting Sensitive Data

December 27, 2024

Cybersecurity researchers from Fortinet FortiGuard Labs have recently identified two malicious packages uploaded to the Python Package Index (PyPI), raising significant concerns about data security within the Python ecosystem. The packages, named zebo and cometlogger, were designed to exfiltrate sensitive information from compromised systems and had garnered a total of 282 downloads before being removed.

Details of the Malicious Packages

Zebo

Functionality: Zebo is characterized as typical malware, equipped with features for surveillance, data exfiltration, and unauthorized control. It employs obfuscation techniques, including hex-encoded strings, to hide the URL of its command-and-control (C2) server.
Data Harvesting: The package utilizes the pynput library to capture keystrokes and ImageGrab to take screenshots every hour. These images are then uploaded to the free image hosting service ImgBB using an API key retrieved from the C2 server.
Persistence Mechanism: Zebo ensures persistence by creating a batch script that launches its Python code and adds it to the Windows Startup folder, allowing it to execute automatically upon system reboot.

Cometlogger

Data Siphoning: Cometlogger is more feature-rich, capable of extracting a wide range of information including cookies, passwords, tokens, and account data from popular applications like Discord, Steam, Instagram, TikTok, and others.
System Information Gathering: It can harvest system metadata, network and Wi-Fi details, running processes, and clipboard content. Additionally, it incorporates checks to avoid detection in virtualized environments and terminates browser processes to enhance file access.
Efficiency: The script's design allows for asynchronous task execution, maximizing its efficiency in stealing large amounts of data quickly.

Implications and Recommendations

The discovery of these malicious packages highlights the potential risks associated with using third-party libraries from repositories like PyPI. Security researcher Jenna Wang emphasizes the importance of scrutinizing code before execution and avoiding interaction with scripts from unverified sources.

As developers increasingly rely on open-source packages for their projects, it becomes crucial to maintain vigilance against such threats. Users are advised to: – Conduct thorough reviews of any third-party code. – Monitor downloads and usage statistics for suspicious activity. – Implement security measures to protect sensitive data.

In conclusion, while open-source software offers numerous advantages, it also presents vulnerabilities that can be exploited by malicious actors. Awareness and proactive security practices are essential in safeguarding against these threats.

Citations: [1] https://thehackernews.com/2024/12/researchers-uncover-pypi-packages.html