Cybersecurity researchers have identified two malicious packages that were uploaded to the Python Package Index (PyPI) repository and were equipped with capabilities to steal sensitive information from compromised nodes, reports new findings from Fortinet FortiGuard Labs.
Packages, no beautiful and recorder of cometsattracted 118 and 164 downloads each before being taken down. According to ClickPy statistics, a the majority of them loading came from the USA, China, Russia and India.
Zebo is “a typical example of malware with features designed for surveillance, data theft, and unauthorized monitoring,” security researcher Jenna Wang said, adding that cometlogger “also exhibits signs of malicious behavior, including dynamic file manipulation, injection web hook, information theft, and anti (virtual machine) checks.”
The first of the two packages, zebo, uses obfuscation techniques such as hex-encoded strings to hide the URL of the command and control server (C2) it communicates with via HTTP requests.
It also contains many data collection features, including using the pynput library to capture keystrokes and ImageGrab to periodically capture screenshots every hour and save them to a local folder before uploading them to free image hosting ImgBB using an API key obtained from the C2 server .
In addition to stealing sensitive data, the malware configures security on the machine by creating a batch script that runs Python code and adds it to the Windows startup folder to run automatically on every reboot.
Cometlogger, on the other hand, is feature-rich that grabs a wide range of information, including cookies, passwords, tokens, and account-related data, from apps like Discord, Steam, Instagram, X, TikTok, Reddit, Twitch , Spotify and Roblox.
It is also capable of collecting system metadata, network and Wi-Fi information, list of running processes, and clipboard contents. It also includes checks to avoid running in virtualized environments and terminates web browser-related processes to ensure unrestricted access to files.
“By running tasks asynchronously, the script maximizes efficiency by stealing large amounts of data in a short amount of time,” Wang said.
“While some features may be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute. Always read code carefully before running it and avoid interacting with scripts from unverified sources.”
