Two malicious packages discovered on the Python Package Index (PyPI) repository were found to be stealing sensitive data and hijacking social media accounts, according to findings from Fortinet FortiGuard Labs.
The packages, named "zebo" and "cometlogger," accumulated nearly 300 combined downloads primarily from users in the United States, China, Russia, and India before being removed from the repository.
The zebo package employed sophisticated concealment methods, including hex-encoded strings to hide its command server communications. Once installed, it captured keystrokes using the pynput library and took hourly screenshots that were uploaded to ImgBB image hosting. The malware also established persistence by creating a startup script that would automatically run whenever the system rebooted.
Cometlogger demonstrated even broader capabilities, targeting user data from popular platforms including Discord, Steam, Instagram, X (formerly Twitter), TikTok, Reddit, Twitch, Spotify, and Roblox. The package collected cookies, passwords, tokens, and account information. It also gathered system details, network configurations, and clipboard contents while actively avoiding detection in virtual machine environments.
Security researcher Jenna Wang noted that while some of these features could appear legitimate, the packages' secretive nature and suspicious behaviors made them unsafe. She advised careful code review before execution and recommended avoiding unverified script sources.
The discovery highlights ongoing security challenges in public code repositories and emphasizes the need for developers to exercise caution when incorporating third-party packages into their projects.