Monday, May 5, 2025
Homecyber securityBeware of New Malicious PyPI packages That Steals Login Details

Beware of New Malicious PyPI packages That Steals Login Details

Published on

SIEM as a Service

Follow Us on Google News

Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet’s AI-driven OSS malware detection system.

These packages, spotted on November 16 and November 24, 2024, respectively, represent significant threats to users by leveraging advanced malware techniques.

These findings underscore the critical importance of robust cybersecurity measures to protect against such sophisticated threats.

- Advertisement - Google News

Malicious Behaviors of Zebo-0.1.0

The Zebo-0.1.0 package exhibits a range of malicious activities designed to surveil users, exfiltrate sensitive data, and maintain unauthorized system control.

Key malicious functionalities of Zebo-0.1.0 include:

  • Keylogging and Screen Capturing: The malware tracks every keystroke using the pynput library and captures screenshots at regular intervals via ImageGrab.
  • Data Exfiltration: Sensitive user data, such as keystrokes and screenshots, is uploaded to a remote Firebase database using obfuscated HTTP requests.
  • Persistence Mechanism: The package ensures prolonged presence in the user’s system by creating auto-executing Python scripts and batch files that initiate upon system startup.

The use of obfuscation techniques, including the encoding of malicious URLs, complicates detection efforts and highlights the sophisticated nature of this malware.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Threats Posed by Cometlogger-0.1

Cometlogger-0.1, another identified malicious package, goes a step further in sophistication.

It is capable of dynamically modifying files, stealing sensitive information, and bypassing security environments.

Noteworthy features include:

  • Webhook Injection and Information Theft: By injecting webhooks into multiple files, the malware facilitates the exfiltration of usernames, passwords, cookies, and cryptocurrency wallet data. Targeted platforms include Discord, Instagram, and various browsers.
  • Anti-VM Checks: The malware employs anti-virtualization techniques to avoid detection within sandbox environments used by researchers and security tools.
  • Dynamic File Modifications: The package manipulates Python files during runtime, enabling the execution of malicious commands and maintaining its stealthy presence.

A particularly alarming aspect of Cometlogger-0.1 is its ability to extract encrypted credentials and card data from browser storage, significantly escalating the risk of financial fraud and identity theft.

To mitigate the risk posed by these malicious packages, users and organizations are advised to follow these cybersecurity best practices:

  1. Disconnect and Scan: Immediately disconnect affected systems from the internet and perform a thorough malware scan using reputable antivirus software.
  2. Code Scrutiny: Avoid installing unverified Python packages and review the code of third-party scripts before execution.
  3. Network Monitoring: Implement intrusion detection systems to identify and block suspicious network activities.
  4. Awareness Training: Educate users on recognizing phishing schemes and avoiding unsafe downloads.

Fortinet customers remain protected against these threats through updated AntiVirus services, including FortiGate and FortiClient tools, which have been calibrated to detect and prevent these specific malware packages.

The discovery of Zebo-0.1.0 and Cometlogger-0.1 highlights increasing risks posed by open-source dependencies.

These malicious packages effectively demonstrate how attackers can use sophisticated techniques to bypass detection, exfiltrate data, and target both individuals and organizations.

Heightened vigilance, combined with advanced cybersecurity tools, remains critical in combating such threats.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...