Malicious Python packages posing as obfuscators have been targeting developers with malware that takes control over the infected systems, application security firm Checkmarx warns.
Featuring names that start with ‘pyobf’ and masquerading as tools typically used by developers, the malicious packages deploy a payload dubbed ‘BlazeStealer’, to control the victim’s system and spy on them.
BlazeStealer, Checkmarx has discovered, fetches a malicious script to enable a Discord bot and provide the attackers with control over the infected system.
The malicious Python code, activated upon package installation, retrieves and executes additional code from an external resource, and runs a Discord bot functioning as a powerful backdoor.
Once activated, the bot can steal system information, passwords, and files, can capture screenshots, log keystrokes, encrypt files, deactivate Windows Defender and Task Manager, render the machine inoperable, and execute commands received from the attackers.
Additionally, the bot can control the computer’s camera, capturing photos and sending them to the attackers via Discord.
In addition to establishing a gateway for the attackers to control the victim’s machine, the malware taunts the victims, with threatening messages that claim the immediate destruction of the infected system.
Between January and October 2023, Checkmarx identified eight malicious Python packages carrying the BlazeStealer malware, namely pyobftoexe, pyobfusfile, pyobfexecute, pyobfpremium, pyobflite, pyobfadvance, pyobfuse, and pyobfgood.
The majority of those who downloaded these packages, the security firm says, are in the US (69%). China (12%), Russia (5.5%), and Ireland (3%) were also impacted.
The pivotal role open source software plays in software development makes it an attractive target to attackers, especially developers who work with valuable or sensitive information that requires obfuscation, who have been the main target of this malicious campaign.
“The open source domain remains a fertile ground for innovation, but it demands caution. Developers must remain vigilant, and vet the packages prior to consumption,” Checkmarx notes.
Related: Malicious NuGet Packages Abuse MSBuild Integrations for Code Execution
Related: Malicious NPM, PyPI Packages Stealing User Information
Related: PyPI Enforcing 2FA for All Project Maintainers to Boost Security