A new set of malicious Python packages has been discovered on the Python Package Index (PyPI) repository. These packages masquerade as harmless obfuscation tools but contain a malware called BlazeStealer, reported Checkmarx.
Diving into details
- The campaign started in January 2023 and includes eight packages - Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood.
- The BlazeStealer malware can execute a number of malicious actions on the infected host, including harvesting sensitive information such as passwords and screenshots, executing arbitrary commands, encrypting files, and disabling Microsoft Defender Antivirus.
- The malware runs a Discord bot to facilitate communication between the threat actor and the infected system.
- Most downloads originated from the U.S., China, and Russia, followed by Ireland, Hong Kong, Croatia, France, and Spain.
Related incidents
- Phylum uncovered a set of npm modules—puma-com, erc20-testenv, blockledger, cryptotransact, and chainflow–that can stealthily deliver a next-stage malware.
- In October, Checkmarx observed a sophisticated attacker deploying malicious packages in PyPi and npm, accumulating nearly 75,000 downloads. The campaign was launched in April.
The bottom line
Open-source software provides a rich environment for germinating new ideas, but it also requires a healthy dose of skepticism. Developers must stay alert and thoroughly assess the reliability and safety of packages before incorporating them into their work.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/df41_shutterstock_400915399.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0cbd_shutterstock_2245564489.jpg)
