In a concerning cybersecurity revelation, a new breed of malicious Python packages has infiltrated the Python Package Index (PyPI) repository, posing a significant threat to developers.
Furthermore, these seemingly harmless packages disguise themselves as obfuscation tools but contain a stealthy malware known as BlazeStealer, as reported by Checkmarx. BlazeStealer is a formidable threat that retrieves an additional malicious script from an external source, enabling a Discord bot that grants attackers full control over the victim’s computer, according to security researcher Yehuda Gelb.
Additionally, this malicious campaign, initiated in January 2023, encompasses eight different packages, namely Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood, the latest of which was published in October. These packages are equipped with setup.py and init.py files designed to fetch and execute a Python script hosted on transfer[.]sh immediately upon installation.
At the same time, BlazeStealer, the malware concealed within these packages, enables threat actors to extract a wide array of information, including web browser passwords and screenshots, execute arbitrary commands, encrypt files, and disable Microsoft Defender Antivirus on the compromised system. Furthermore, it has the capability to render the victim’s computer inoperable by increasing CPU usage, inserting a Windows Batch script in the startup directory for a forced shutdown, or even triggering a blue screen of death (BSoD).
This discovery serves as a stark reminder of the risks developers face when dealing with code obfuscation, particularly due to the valuable and sensitive information they handle. The majority of downloads of these rogue packages originated from the United States, followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain, totaling 2,438 downloads before being taken down.
In light of this incident, Yehuda Gelb emphasized the need for developers to exercise caution and meticulously vet packages before incorporating them into their projects, as the open-source domain remains a fertile ground for innovation but also presents a breeding ground for potential threats.