- Security researchers found two packages on PyPI, showing malicious intent
- The packages grant the attackers access to systems and sensitive data
- The researchers warn developers to exercise caution when using third-party packages
Experts have warned PyPI continues to be abused after researchers discovered more malicious packages hiding on the platform.
A report from Fortinet’s FortiGuard Labs discovered two packages designed to steal people’s login credentials, grant unauthorized access to devices, and more.
The researchers says they observed Zebo-0.1.0, and Cometlogger-0.1, two packages that masquerade as legitimate code, but hide harmful features behind complex logic and obfuscation.
Smuggling malware
“The Zebo-0.1.0 script is a typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control,” the researchers explained. “It uses libraries like pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent.”
The Cometlogger-0.1 script, on the other hand, comes with a different set of malicious behavior, such as dynamic file manipulation, webhook injection, infostealing, and anti-VM checks.
Both packages are described as sophisticated, persistent, and dangerous.
Python is one of the world’s most popular programming languages, and by nature, PyPI is one of the world’s most popular open source code repositories. Developers build code blocks and share with their peers via the platform. Other developers can then use those blocks on their projects, cutting down on time necessary to code out different features.
This gives cybercriminals an opportunity to smuggle malicious code, and infect countless projects through the software supply chain. Sometimes, they would break into legitimate developer accounts and poison their solutions and other times they would typosquat popular solutions in hopes people would mistakenly download the malicious package.
Open-source is arguably more secure, since the code is susceptible to scrutiny from the entire community, but researchers still advise caution, and always verify third-party scripts and executables before running.
Furthermore, businesses should also keep their networks behind firewalls, and set up intrusion detection systems to safeguard their infrastructure.
Leave a comment