Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, have been discovered on PyPI, posing severe threats to user privacy and system security. These packages are specifically designed to steal sensitive data, capture keystrokes, take screenshots, and establish persistent control over infected systems. By exploiting the trust associated with PyPI repositories, they can easily infiltrate systems of unsuspecting developers and organizations. Both packages employ obfuscation techniques to bypass security tools, making them harder to detect and remove.
Zebo-0.1.0 focuses on surveillance and data theft using libraries like pynput for keylogging and ImageGrab for capturing screenshots. The stolen information, including typed credentials and desktop activity, is then exfiltrated to remote servers. Additionally, the malware creates Python scripts and batch files in the Windows Startup folder, ensuring it automatically runs every time the system boots. This persistence mechanism allows the malware to remain undetected for extended periods, amplifying the risk of long-term damage.
On the other hand, Cometlogger-0.1 takes a more aggressive approach by targeting platforms such as Discord, Steam, and social media networks to steal account credentials and authentication tokens. It dynamically embeds malicious code into Python files, enabling unauthorized access and control. Furthermore, it employs anti-virtual machine (anti-VM) detection techniques to avoid analysis and manipulation. This allows the malware to operate stealthily while exfiltrating critical data to remote servers, posing a significant risk to both individuals and organizations.
These incidents highlight the growing risks associated with open-source repositories like PyPI, where malicious actors can distribute harmful packages disguised as legitimate tools. To mitigate these threats, users are advised to isolate infected systems, use reputable antivirus software, conduct regular system audits, and carefully inspect dependencies before installation. The discovery of Zebo-0.1.0 and Cometlogger-0.1 serves as a critical reminder of the importance of cybersecurity vigilance in software supply chains.
