Fortinet’s cybersecurity research team has uncovered a significant security threat within the Python Package Index (PyPI), identifying two malicious packages that accumulated over 280 downloads before their removal. The packages, identified as “zebo” and “cometlogger,” primarily targeted users in the United States, China, Russia, and India, representing a sophisticated attempt to compromise developer systems and steal sensitive data.
Advanced Surveillance Capabilities of Zebo Malware
The zebo package demonstrates sophisticated malware engineering, implementing advanced obfuscation techniques including hexadecimal string encoding to mask its command-and-control (C2) server communications. What makes this threat particularly concerning is its persistence mechanism, which leverages Windows startup folders to maintain system access through automatically generated batch scripts.
Data Collection and Exfiltration Methods
Technical analysis reveals that zebo employs the pynput library for comprehensive keystroke logging and utilizes Python’s ImageGrab module for screen capture functionality. The malware implements a sophisticated data exfiltration pipeline, temporarily storing captured screenshots locally before automatically uploading them to ImgBB using API keys received from its C2 infrastructure.
Cometlogger: Sophisticated Credential Harvesting Toolkit
The second identified threat, cometlogger, represents an advanced data harvesting tool designed to extract sensitive information across multiple platforms. This malware specifically targets authentication credentials, cookies, and access tokens from popular services including Discord, Steam, Instagram, X (formerly Twitter), TikTok, Reddit, Twitch, Spotify, and Roblox. Additionally, it collects detailed system information, network configurations, Wi-Fi credentials, and process data.
Cometlogger’s effectiveness is enhanced through its implementation of asynchronous operations, enabling rapid data collection and exfiltration. The malware’s sophisticated architecture allows it to harvest substantial amounts of sensitive information while maintaining a relatively low system footprint.
To protect against these emerging threats, security experts recommend implementing comprehensive dependency scanning practices and maintaining strict package verification protocols. Organizations should establish robust security policies that include regular dependency audits, automated security scanning, and continuous system monitoring to detect and prevent similar supply chain attacks. Developers are strongly advised to verify package authenticity and maintain an updated inventory of trusted dependencies to minimize exposure to supply chain compromises.
