A nasty Python package continues a trend of targeting developers

Sometimes when malicious hackers meddle with open-source software development, the target isn’t the software — it’s the developers themselves.

Researchers at cybersecurity firm Checkmarx say they have been tracking malware intended to infect the computers of developers who work with the popular Python language and have a need to obfuscate their code, or make it unreadable to prying eyes.

There are a lot of legitimate, helpful tools for doing this, and they appear as packages in open-source code libraries. This year, attackers have taken note and are posting packages with similar names that instead “have hidden agendas,” the researchers say in a report released Wednesday morning.

The latest of these packages, published in October, has a “destructive payload” that activates as soon as a developer runs the code. Checkmarx is calling it “BlazeStealer,” and it “retrieves an additional malicious script from an external source,” enabling a bot on the Discord messaging service “that gives attackers complete control over the victim's computer.”

Developers who want to obfuscate their Python code can be attractive targets, Checkmarx says, because they “are likely working with valuable and sensitive information.”

The bogus packages usually begin with “pyobf,” mimicking the names of clean Python obfuscators. Checkmarx said the October discovery is posted as “pyobfgood,” and once it’s fully running on a victim’s machine, it allows for a familiar range of malicious activities — everything from data exfiltration and keystroke logging to direct spying.

The target machine runs an application allowing the Discord bot “to secretly capture a photo using the webcam,” Checkmarx says. “The resulting image is then sent back to the Discord channel, without leaving any evidence of its presence after deleting the downloaded files.”

Open-source code libraries have drawn more attention this year as researchers continue to dig up examples of how attackers abuse them to spread malware. Cybersecurity company Phylum recently warned of “an alarming surge in attack sophistication aimed at developers and package ecosystems.”

A recent example is a vulnerability in the libwepb library that alarmed cybersecurity experts in September. Previous research by Checkmarx found packages in the npm JavaScript library carrying malicious scripts that targeted the banking sector.

Amid the warnings, the Biden administration has been urging the industry to do more to help secure open-source software.