- Security researchers found two packages in PyPI that show malicious intent
- The packets give attackers access to sensitive systems and data.
- Researchers warn developers to be careful when using third-party packages
Experts have warned that PyPI continues to be abused after researchers discovered more malicious packages hidden on the platform.
A report from Fortinet’s FortiGuard Labs discovered two packages designed to steal people’s login credentials, grant unauthorized access to devices, and more.
Researchers say they observed Zebo-0.1.0 and Cometlogger-0.1, two packages that pose as legitimate code but hide harmful features behind complex logic and confusion.
Malware smuggling
“The Zebo-0.1.0 script is a typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control,” the researchers explained. “It uses libraries such as pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent.”
The Cometlogger-0.1 script, on the other hand, comes with a different set of malicious behavior, such as dynamic file manipulation, webhook injection, information theft, and anti-VM checks.
Both packages are described as sophisticated, persistent and dangerous.
Python is one of the most popular programming languages in the world, and by nature, PyPI is one of the most popular open source code repositories in the world. Developers create blocks of code and share them with their peers through the platform. Other developers can then use those blocks in their projects, reducing the time needed to code different features.
This gives cybercriminals the opportunity to smuggle malicious code and infect countless projects across the software supply chain. Sometimes they would break into legitimate developer accounts and poison their solutions, and other times they would type popular solutions in the hope that people would mistakenly download the malicious package.
Open source is arguably safer, as the code is susceptible to scrutiny by the entire community, but researchers still advise caution and always check third-party scripts and executables before running it.
Additionally, companies should also keep their networks behind firewalls and establish intrusion detection systems to safeguard their infrastructure.
