Two malicious packages uploaded to the Python Package Index (PyPI) repository have been identified by cybersecurity researchers as tools for exfiltrating sensitive information from compromised systems, according to Fortinet FortiGuard Labs. The packages, named zebo and cometlogger, were downloaded 118 and 164 times, respectively, before being removed. ClickPy statistics reveal that most downloads originated from the United States, China, Russia, and India.
zebo is described as a typical malware example, designed for surveillance, data theft, and unauthorized control, according to security researcher Jenna Wang. It employs obfuscation techniques like hex-encoded strings to hide the URL of its command-and-control (C2) server, which it communicates via HTTP requests. Its features include data harvesting using the pynput library for keylogging and ImageGrab for hourly screenshots, which are uploaded to ImgBB using an API key retrieved from the C2 server. The malware also establishes persistence by creating a batch script that adds the malicious Python code to the Windows Startup folder, ensuring execution upon reboot.
cometlogger is even more feature-packed, capable of stealing cookies, passwords, tokens, and account data from various applications, including Discord, Steam, Instagram, TikTok, Reddit, Twitch, Spotify, and Roblox. It also collects system metadata, network and Wi-Fi details, clipboard content, and a list of running processes. To maximize data theft, it asynchronously executes tasks, enabling swift exfiltration. The malware avoids detection by incorporating anti-virtual machine checks and terminating browser-related processes to gain unrestricted access to files.
“While some features might resemble legitimate tools, the suspicious functionality and lack of transparency make these scripts unsafe to execute,” Wang warned. “Always review code before running it and avoid interacting with scripts from unverified sources.”