The JFrog Security Research team has identified and reported a sophisticated piece of malware on the Python Package Index (PyPI) named "cookiezlog," which employs advanced static and dynamic obfuscation techniques to evade detection. Unlike typical malware, "cookiezlog" incorporates anti-debugging code, a first in PyPI malware, to thwart dynamic analysis tools. Upon installation, the package executes malicious code that downloads an executable disguised as a Python script packed into a Windows PE file. The malware's defenses include zlib encoding, PyArmor obfuscation, and checks for virtual machine environments and debugging tools. Despite its complex defenses, the payload itself is a relatively simple password grabber targeting browser-stored passwords and financial services credentials. The discovery highlights the evolving sophistication of malware in open-source software repositories, paralleling the development of native malware in employing multifaceted protection against analysis.