Two malicious packages on the Python Package Index (PyPI) repository have been identified by Fortinet FortiGuard Labs for their data theft capabilities. The packages, zebo and cometlogger, accumulated 118 and 164 downloads respectively, primarily from users in the United States, China, Russia, and India before being removed.
Zebo Package Analysis:
– Employs obfuscation techniques using hex-encoded strings
– Communicates with command-and-control (C2) server via HTTP
– Captures keystrokes using pynput library
– Takes hourly screenshots and uploads to ImgBB
– Establishes persistence through Windows Startup folder
– Creates automatic execution upon system reboot
Cometlogger Package Capabilities:
– Extracts sensitive data from multiple platforms including Discord, Steam, Instagram, X, TikTok, Reddit, Twitch, Spotify, and Roblox
– Collects system metadata, network information, and running processes
– Monitors clipboard content
– Features anti-virtualization checks
– Terminates browser processes for unrestricted access
– Utilizes asynchronous execution for efficient data theft
Security researcher Jenna Wang emphasizes the importance of code verification and avoiding unverified sources, as these packages demonstrate sophisticated surveillance and data exfiltration capabilities while masquerading as legitimate software.