{"id":"MAL-2024-11751","summary":"Malicious code in zebo (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (27f62f0f9a2a11b03c5bbead202d9f5d58ca471041e3115eb67dd88accc22be4)\nPackage automatically installs a script with keylogger and screenshots extraction, and sets it for an autostart.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-11-zebo\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - peristence-autorun\n\n\n - keylogger\n","aliases":["SNYK-PYTHON-ZEBO-8549368"],"modified":"2026-03-19T12:58:23.123082Z","published":"2024-11-16T23:31:21Z","database_specific":{"malicious-packages-origins":[{"import_time":"2024-12-09T14:38:51.268258728Z","sha256":"be0083df419b67e22360f157bd710102fe0e7b48a0e55eddc6540eb5abeb0f46","versions":["0.1.0"],"id":"RLMA-2024-11213","modified_time":"2024-12-09T06:51:31Z","source":"reversing-labs"},{"import_time":"2025-02-03T18:38:14.143050998Z","sha256":"6375f974d9ad51bcea6bc3b135bf1d19c1ec7b3b90401d923b170c6abd618c3c","id":"RLUA-2025-00551","modified_time":"2025-02-03T17:08:06Z","source":"reversing-labs"},{"import_time":"2025-12-02T22:30:55.791557956Z","sha256":"f67e2c21bf3fb283a2165c4112d96b86ac4125f3f7355d3c8ddc41544a796cc2","modified_time":"2024-11-16T23:31:21Z","id":"pypi/2024-11-zebo/zebo","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193"},{"import_time":"2025-12-02T23:07:18.834998493Z","sha256":"27f62f0f9a2a11b03c5bbead202d9f5d58ca471041e3115eb67dd88accc22be4","modified_time":"2024-11-16T23:31:21Z","id":"pypi/2024-11-zebo/zebo","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193"},{"import_time":"2025-12-10T21:38:57.99993718Z","sha256":"7643fc344d525d9313da25a4a0351b1655cb2dd6ad1ba2770289fb9937300d71","versions":["0.1.0"],"id":"pypi/2024-11-zebo/zebo","modified_time":"2024-11-16T23:31:21Z","source":"kam193"},{"import_time":"2026-03-19T12:20:45.709297135Z","sha256":"71def0d6b87b908f6a426999bee7e6d2169351df530ab794b0e56de116a49ff9","id":"RLUA-2026-00946","modified_time":"2026-03-18T12:21:14Z","source":"reversing-labs"}],"iocs":{"domains":["project-runnner-default-rtdb.firebaseio.com"]}},"references":[{"type":"ADVISORY","url":"https://security.snyk.io/vuln/SNYK-PYTHON-ZEBO-8549368"},{"type":"ARTICLE","url":"https://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-code"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/zebo"}],"affected":[{"package":{"name":"zebo","ecosystem":"PyPI","purl":"pkg:pypi/zebo"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zebo/MAL-2024-11751.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}