A new set of malicious Python packages has been discovered on the Python Package Index (PyPI) repository. These packages masquerade as harmless obfuscation tools but contain a malware called BlazeStealer, reported Checkmarx.

Diving into details

• The campaign started in January 2023 and includes eight packages – Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood. 
• The BlazeStealer malware can execute a number of malicious actions on the infected host, including harvesting sensitive information such as passwords and screenshots, executing arbitrary commands, encrypting files, and disabling Microsoft Defender Antivirus.
• The malware runs a Discord bot to facilitate communication between the threat actor and the infected system.
• Most downloads originated from the U.S., China, and Russia, followed by Ireland, Hong Kong, Croatia, France, and Spain.

Related incidents

• Phylum uncovered a set of npm modules—puma-com, erc20-testenv, blockledger, cryptotransact, and chainflow–that can stealthily deliver a next-stage malware.
• In October, Checkmarx observed a sophisticated attacker deploying malicious packages in PyPi and npm, accumulating nearly 75,000 downloads. The campaign was launched in April.

The bottom line

Open-source software provides a rich environment for germinating new ideas, but it also requires a healthy dose of skepticism. Developers must stay alert and thoroughly assess the reliability and safety of packages before incorporating them into their work.

Resource : https://cyware.com/news/new-blazestealer-malware-in-pypi-targets-developers-666fe1bd