November 9, 2023 at 09:42AM
Malicious Python packages posing as obfuscators are being used to target developers, according to cybersecurity firm Checkmarx. These packages deploy a payload called ‘BlazeStealer’, which allows the attackers to control infected systems and spy on victims. The malware can steal system information, passwords, files, capture screenshots, and even control the computer’s camera. The majority of downloads of these packages have been in the US (69%), followed by China, Russia, and Ireland. Checkmarx advises developers to be cautious and thoroughly vet packages before using them.
According to the meeting notes, a recent warning from application security firm Checkmarx states that malicious Python packages are posing as obfuscators and targeting developers with malware. These packages, labeled with names starting with ‘pyobf’, deceive developers by masquerading as tools typically used in their work. Once installed, the malicious packages execute a payload known as ‘BlazeStealer’, which takes control of the infected system and spies on the victim.
BlazeStealer retrieves a malicious script from an external resource, enabling the attackers to control the victim’s system via a Discord bot. Once activated, this bot can carry out various actions, including stealing system information, passwords, and files, capturing screenshots, logging keystrokes, encrypting files, deactivating Windows Defender and Task Manager, rendering the machine inoperable, executing commands from the attackers, and even controlling the computer’s camera.
Checkmarx discovered eight specific malicious Python packages carrying the BlazeStealer malware between January and October 2023. These packages include pyobftoexe, pyobfusfile, pyobfexecute, pyobfpremium, pyobflite, pyobfadvance, pyobfuse, and pyobfgood.
The majority of downloads of these malicious packages were found to be in the United States (69%), with China (12%), Russia (5.5%), and Ireland (3%) also affected.
The meeting notes emphasize the importance of caution when working with open source software, as it is a prominent target for attackers. Developers are advised to remain vigilant and thoroughly evaluate packages before consumption.
Further related topics discussed in the meeting include malicious NuGet packages abusing MSBuild integrations for code execution, malicious NPM and PyPI packages stealing user information, and PyPI implementing 2FA for all project maintainers to enhance security.