Thanks to the work of the researchers at Checkmarx it was possible to identify a series of Python packages malicious repositories present Python Package Index (PyPI). These have been specially prepared with the aim of stealing sensitive data from developers’ computers.
The packages in question, at first glance, appear to be completely harmless obfuscation tools. In reality, however, once experts analyzed them, they discovered that they host malware BlazeStealer.
Yehuda Gelb, a security researcher involved in the analysis, stated how the malicious agent in question works by downloading an additional script from an external source. All by enabling a bot Discordthrough which attackers manage to take control of the victim’s system.
The cybercriminals’ operation appears to have been launched since last January. The analysis brought to light eight packages used to spread BlazeStealer, namely:
- Pyobftoexe
- Pyobfusfile
- Pyobfexecute
- Pyobfpremium
- Pyobflite
- Pyobfadvance
- Pyobfuse
- Pyobfgood (published in October).
These modules come with the files setup.py e init.py, designed to retrieve a Python script. The latter is executed immediately after installing the offending packages.
BlazeStealer: the 8 offending packages were downloaded 2,438 times
Once the infection is complete, BlazeStealer is ready to act, running a Discord bot. The same goes to steal information from the victim’s computer, sparing no expense password, screenshot and other sensitive data. Cybercriminals can act from various points of view, executing arbitrary commands but also encrypting filesup to the possibility of deactivating Microsoft Defender.
What makes this malware particularly treacherous is the fact that it targets programmers and developers. According to Gelb, all this is not the result of chance”It is obvious that developers engaged in code obfuscation are probably dealing with valuable and sensitive information and therefore, for a hacker, this translates into a goal worth pursuing“, observed the researcher.
Even when it comes to numbers, BlazeStealer’s work raises some concern: before removal, in fact, the offending packages were downloaded 2,438 times.
