Nasty Python Package Continues Trend of Targeting Developers


Sometimes when malicious hackers meddle with open source software development, the target is not the software, but the developers themselves.

Researchers at cybersecurity firm Checkmarx say they have tracked malware intended to infect the computers of developers who work with the popular Python language and need to hide their code or make it unreadable to prying eyes.

There are many legitimate and useful tools for doing this, and they appear as packages in open source code libraries. This year, attackers have taken note and are releasing packages with similar names that “have hidden intentions,” researchers say in a report released Wednesday morning.

The latest of these packages, released in October, has a “destructive payload” that activates whenever a developer runs the code. Checkmarx calls it “BlazeStealer” and it “obtains additional malicious script from an external source,” activating a bot on the Discord messaging service “that gives attackers full control over the victim’s computer.”

Developers who want to obfuscate their Python code may be attractive targets, Checkmarx says, because they are “likely working with valuable and sensitive information.”

Fake packages usually start with “pyobf”, mimicking the names of Python’s own obfuscators. Checkmarx said the October discovery is published as “pyobfgood”, and that once it is fully executed on a victim’s machine, it enables a familiar range of malicious activities – ranging from exfiltration data and keystroke recording to direct spying.

The target machine runs an application that allows the Discord bot to “secretly capture a photo using the webcam,” Checkmarx explains. “The resulting image is then sent back to the Discord channel, leaving no trace of its presence after the uploaded files are deleted.”

Open source code libraries have attracted more attention this year as researchers continue to find examples of how attackers abuse them to spread malware. Cybersecurity company Phylum recently warned of “an alarming rise in the sophistication of attacks targeting developers and package ecosystems.”

A recent example is a vulnerability in the libwebb library which alarmed cybersecurity experts in September. Previous research by Checkmarx found packages in npm JavaScript library carrying malicious scripts targeting the banking sector.

Amid warnings, the Biden administration urged the industry to Do more to help secure open source software.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Joe Warminsky

Joe Warminsky is the editor-in-chief of Recorded Future News. He has more than 25 years of experience as an editor and writer in the Washington, DC area. Most recently, he helped lead CyberScoop for over five years. Before that, he was a digital editor at WAMU 88.5, NPR’s Washington affiliate, and he spent more than a decade editing congressional coverage for CQ Roll Call.

Leave a comment