A new set of malicious Python packages has been discovered on the Python Package Index (PyPI) repository. These packages masquerade as harmless obfuscation tools but contain a malware called BlazeStealer, reported Checkmarx.
Diving into details
The campaign started in January 2023 and includes eight packages - Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood.
The BlazeStealer malware can execute a number of malicious actions on the infected host, including harvesting sensitive information such as passwords and screenshots, executing arbitrary commands, encrypting files, and disabling Microsoft Defender Antivirus.
The malware runs a Discord bot to facilitate communication between the threat actor and the infected system.
Most downloads originated from the U.S., China, and Russia, followed by Ireland, Hong Kong, Croatia, France, and Spain.
Related incidents
Phylum uncovered a set of npm modules—puma-com, erc20-testenv, blockledger, cryptotransact, and chainflow–that can stealthily deliver a next-stage malware.
In October, Checkmarx observed a sophisticated attacker deploying malicious packages in PyPi and npm, accumulating nearly 75,000 downloads. The campaign was launched in April.
The bottom line
Open-source software provides a rich environment for germinating new ideas, but it also requires a healthy dose of skepticism. Developers must stay alert and thoroughly assess the reliability and safety of packages before incorporating them into their work.