Two New Malicious PyPI Packages Target Users to Steal Login Credentials

25.12.2024

 

Two newly identified malicious PyPI packages, Zebo-0.1.0 and Cometlogger-0.1, have raised significant concerns about user security. These packages, uploaded in November 2024, are designed to steal sensitive data such as login credentials, browsing history, and financial information, posing a serious threat to unsuspecting developers and users. The discovery of these malicious packages emphasizes the need for caution when using open-source software repositories.

Zebo-0.1.0 employs advanced obfuscation techniques to evade detection, including hex-encoded strings and HTTP requests to interact with a Firebase database for data exfiltration. This stealthy approach allows it to bypass many automated defenses, making it a dangerous threat. The malware logs every keystroke using the pynput library, stores them locally, and uploads the data to a remote server. It also captures screenshots periodically and sends them to an external server, further compromising user privacy.

One of Zebo’s most concerning features is its persistence mechanism. It creates a script and batch file in the Windows Startup folder, ensuring that it continues to run every time the system restarts. This persistence allows the malware to remain on the system for long periods, making it a continuous security risk. Additionally, Zebo uses dynamic file manipulation to embed remote command-and-control URLs, giving attackers the ability to execute commands and extract data remotely.

Cometlogger-0.1 targets browser data, such as cookies, saved passwords, and session information, as well as cryptocurrency wallet credentials. It can decrypt browser files to extract sensitive details from platforms like Discord, Instagram, and Twitter. Cometlogger is also capable of evading detection by using anti-VM techniques to avoid sandbox environments typically used by security researchers.

The emergence of Zebo-0.1.0 and Cometlogger-0.1 highlights the growing threats within the open-source ecosystem. These incidents serve as a reminder of the importance of implementing strong security measures to protect personal and organizational data from malicious actors. By adopting best practices and maintaining vigilance, users can better safeguard their systems and contribute to a safer development environment.

en_USEnglish