Fortinet’s AI-driven OSS malware detection system recently identified a dangerous package named zlibxjson version 8.2 on PyPI [1], flagging it as malicious shortly after its release.
Description
This package contained malicious Python scripts [1] [2], including Discordtokengrabber.py [1] [2] [3], getcookies.py [1] [2] [3], and passwordgrabber.py [1] [2] [3], targeting Discord users and stealing browser cookies from various popular browsers. Additionally, the package included a malicious URL that downloaded files [1], including an executable (exe) file packed with PyInstaller [1]. The exe file was unpacked to retrieve pyc files [1], which were decompiled into Python (py) files [1]. These scripts extracted sensitive information such as tokens [2], user data [2], and login credentials [2], decrypting and exfiltrating them for potential misuse [2]. The identified malicious packages aimed to access and decrypt stored data from web browsers [1], leading to unauthorized access and exfiltration of personal data [1].
Conclusion
Fortinet has warned users to remain vigilant and utilize detection systems like AI-driven OSS malware detection to mitigate such threats and safeguard user privacy and security. This incident highlights the importance of proactive cybersecurity measures to protect against malicious attacks and underscores the need for ongoing vigilance in the face of evolving cyber threats.
References
[1] https://www.fortinet.com/blog/threat-research/malicious-packages-hidden-in-pypl
[2] https://www.infosecurity-magazine.com/news/pypi-package-steals-discord/
[3] https://islainformatica.com/el-nuevo-paquete-pypi-zlibxjson-roba-datos-de-discord-y-del-navegador/
