Malicious PyPI Packages Stealing Keystrokes and Social Accounts

Cybersecurity researchers have recently uncovered malicious PyPI packages stealing keystrokes and hijacking social accounts. These packages, hosted on the Python Package Index (PyPI), targeted unsuspecting developers and compromised sensitive data.

The findings, reported by Fortinet FortiGuard Labs, underscore the growing risks of downloading code from unverified sources. Read on to learn more about these dangerous packages and how you can protect yourself.

Key Takeaway to Malicious PyPI Packages Stealing Keystrokes and Social Accounts:

• Two PyPI packages, zebo and cometlogger, were found stealing sensitive data and hijacking social media accounts before being removed from the repository.

What Are Malicious PyPI Packages?

PyPI, the Python Package Index, is a central repository for Python code that developers use worldwide. However, not all packages are legitimate. Malicious actors sometimes upload harmful packages disguised as useful tools, aiming to infiltrate systems and steal sensitive information.

Recently, two malicious packages (zebo and cometlogger) were downloaded hundreds of times before being flagged and removed. These packages contained dangerous functionalities designed to steal user data and compromise accounts across various platforms.

Breaking Down the Threats

Zebo: A Spy in Disguise

Zebo is a highly invasive package that uses obfuscation techniques to hide its malicious intent. Here’s what zebo does:

• Data Harvesting: Uses libraries like pynput to record keystrokes and ImageGrab to capture screenshots every hour.
• Persistence Mechanism: Creates scripts to ensure the malware starts every time the system reboots.
• Data Transmission: Uploads stolen data to ImgBB using an API key fetched from its command-and-control (C2) server.

This package posed a severe threat to developers and organizations, highlighting the importance of verifying open-source code before use.

Cometlogger: A Data Thief Extraordinaire

Cometlogger goes beyond standard malware functionalities with its extensive data-harvesting capabilities:

• Account Compromise: Targets popular platforms like Discord, Instagram, and TikTok to steal passwords, cookies, and tokens.
• System Exploitation: Collects metadata, network details, and clipboard content while running processes.
• Avoiding Detection: Incorporates anti-virtualization checks to evade analysis in sandboxed environments.

This malicious package’s ability to terminate browser processes and ensure maximum file access further underscores its sophistication.

A Growing Concern for Developers

This isn’t the first time malicious packages have infiltrated PyPI. For example, in 2022, a package called ctx stole developer credentials from systems. Such incidents reflect a troubling trend of attackers targeting software supply chains.

With these ongoing threats, it’s crucial for developers to:

• Verify package sources before installation.
• Use tools like pip-audit to scan for vulnerabilities.
• Regularly update their systems to patch security flaws.

Future Outlook

The rise of malicious packages signals a broader issue in securing software repositories. Moving forward:

• Repository platforms like PyPI may implement stricter vetting processes for uploaded packages.
• Developers will increasingly rely on automated tools to detect malicious code.
• Education on cybersecurity best practices will become essential in the developer community.

The trend of targeting software supply chains will likely grow, making vigilance more important than ever.

About Fortinet FortiGuard Labs

Fortinet FortiGuard Labs is a global leader in cybersecurity solutions and threat intelligence. They specialize in identifying and mitigating cyber risks, and protecting businesses worldwide.

Rounding Up

The discovery of zebo and cometlogger on PyPI highlights the persistent threat of malicious packages in open-source ecosystems.

Developers must stay informed, use trusted tools, and follow best practices to protect their systems and data. Cybersecurity awareness is not optional but a necessity.

FAQs

What is a malicious PyPI package?

• A package hosted on the Python Package Index containing harmful code designed to steal data or compromise systems.

How do zebo and cometlogger operate?

• Zebo captures keystrokes and screenshots, while cometlogger steals data from platforms like Instagram and Discord.

How can I protect myself from such threats?

• Verify the source of packages, use security tools like pip-audit, and avoid unverified repositories.

What should I do if I’ve downloaded a malicious package?

• Disconnect from the internet, run antivirus software, and remove the package immediately.

Why are software supply chains targeted?

• They provide access to a large number of users, making them lucrative targets for attackers.