- Security researchers found two packages on PyPI, which showed malicious intent
- The packages give the attackers access to systems and sensitive data
- The researchers warn developers to be careful when using third-party packages
Experts have warned that PyPI continues to be abused after researchers discovered more malicious packages were hiding on the platform.
A report from Fortinet’s FortiGuard Labs discovered two packages designed to steal people’s credentials, grant unauthorized access to devices, and more.
The researchers say they observed Zebo-0.1.0 and Cometlogger-0.1, two packages that masquerade as legitimate code but hide malicious features behind complex logic and obfuscation.
Smuggling malware
“The Zebo-0.1.0 script is a typical example of malware, with features designed for surveillance, data exfiltration and unauthorized control,” the researchers explain. “It uses libraries such as pynput and ImageGrab, along with obfuscation techniques, indicating clear malicious intent.”
The Cometlogger-0.1 script, on the other hand, comes with other malicious behavior such as dynamic file manipulation, webhook injection, infostealing, and anti-VM checks.
Both packages are described as advanced, persistent and dangerous.
Python is one of the most popular programming languages in the world, and PyPI is naturally one of the most popular open source code repositories in the world. Developers build blocks of code and share them with their colleagues via the platform. Other developers can then use these blocks in their projects, reducing the time required to code various functions.
This gives cybercriminals the opportunity to smuggle malicious code and infect countless projects through the software supply chain. Sometimes they broke into legitimate developer accounts and poisoned their solutions, and other times they typified popular solutions in the hope that people would accidentally download the malicious package.
Open-source is arguably more secure, as the code is open to scrutiny by the entire community, but researchers still advise caution and always verify third-party scripts and executables before running them.
Additionally, companies must keep their networks behind firewalls and set up intrusion detection systems to secure their infrastructure.