A new set of malicious Python packages has been discovered on the Python Package Index (PyPI) repository. These packages masquerade as harmless obfuscation tools but contain a malware called BlazeStealer, reported Checkmarx.

Diving into details

  • The campaign started in January 2023 and includes eight packages - Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood. 
  • The BlazeStealer malware can execute a number of malicious actions on the infected host, including harvesting sensitive information such as passwords and screenshots, executing arbitrary commands, encrypting files, and disabling Microsoft Defender Antivirus.
  • The malware runs a Discord bot to facilitate communication between the threat actor and the infected system.
  • Most downloads originated from the U.S., China, and Russia, followed by Ireland, Hong Kong, Croatia, France, and Spain.

Related incidents

  • Phylum uncovered a set of npm modules—puma-com, erc20-testenv, blockledger, cryptotransact, and chainflow–that can stealthily deliver a next-stage malware.
  • In October, Checkmarx observed a sophisticated attacker deploying malicious packages in PyPi and npm, accumulating nearly 75,000 downloads. The campaign was launched in April.

The bottom line

Open-source software provides a rich environment for germinating new ideas, but it also requires a healthy dose of skepticism. Developers must stay alert and thoroughly assess the reliability and safety of packages before incorporating them into their work.
Cyware Publisher

Publisher

Cyware