A dangerous package has been found on the PyPI repository. Named zlibxjson version 8.2, the malicious package was flagged by Fortinet’s AI-driven OSS malware detection system on July 3 2024, shortly after its release on June 29 2024.
The package was observed surreptitiously downloading multiple files, including a PyInstaller-packed executable (.exe), which, when unpacked, revealed several Python and DLL files.
Among these, three Python scripts – Discord_token_grabber.py, get_cookies.py and password_grabber.py – were particularly harmful.
Malicious Scripts Steal Discord and Browser Tokens
Discord_token_grabber.py targeted Discord users by extracting tokens from local files, decrypting them if necessary, and validating them through Discord’s API. This allowed attackers to access user accounts without authorization.
Additionally, the script collected extensive user data, including profile information, billing details and more, transmitting it to an external server. The sophisticated code also employed persistence mechanisms to ensure continued operation even if initial attempts failed.
The get_cookies.py script was designed to steal browser cookies from web browsers like Chrome, Firefox, Brave and Opera. These cookies often contain sensitive session information and login credentials.
The script decrypted these cookies using the system’s master key, bypassing usual security measures. It then saved the decrypted data to a file named cookies.txt for potential exfiltration. This file was stored in a user directory, a common tactic to evade detection and facilitate later data transfer.
Read more on browser security: Why we Need to Manage the Risk of AI Browser Extensions
The third malicious script, password_grabber.py, focused on extracting and decrypting saved passwords from Google Chrome and Microsoft Edge.
It accessed the databases where these browsers store login information, decrypted the passwords using the browser’s encryption key and compiled this sensitive data into a format ready for exfiltration or misuse. The script’s cleanup routines removed evidence of the database copying, helping it avoid detection.
“The identified malicious packages in PyPI are designed to steal sensitive information by accessing and decrypting stored data from web browsers, such as passwords and cookies,” Fortinet warned.
“It is crucial to remain vigilant and use detection systems like AI-driven OSS malware detection to identify and mitigate such threats, ensuring user privacy and security are maintained.”
Image credit: Marcelo Mollaretti / Shutterstock.com