Connect with us

Hi, what are you looking for?


Malware & Threats

‘BlazeStealer’ Malware Delivered to Python Developers Looking for Obfuscation Tools

Checkmarx uncovers a malicious campaign targeting Python developers with malware that takes over their systems.

Malicious Python packages posing as obfuscators have been targeting developers with malware that takes control over the infected systems, application security firm Checkmarx warns.

Featuring names that start with ‘pyobf’ and masquerading as tools typically used by developers, the malicious packages deploy a payload dubbed ‘BlazeStealer’, to control the victim’s system and spy on them.

BlazeStealer, Checkmarx has discovered, fetches a malicious script to enable a Discord bot and provide the attackers with control over the infected system.

The malicious Python code, activated upon package installation, retrieves and executes additional code from an external resource, and runs a Discord bot functioning as a powerful backdoor.

Once activated, the bot can steal system information, passwords, and files, can capture screenshots, log keystrokes, encrypt files, deactivate Windows Defender and Task Manager, render the machine inoperable, and execute commands received from the attackers.

Additionally, the bot can control the computer’s camera, capturing photos and sending them to the attackers via Discord.

In addition to establishing a gateway for the attackers to control the victim’s machine, the malware taunts the victims, with threatening messages that claim the immediate destruction of the infected system.

Between January and October 2023, Checkmarx identified eight malicious Python packages carrying the BlazeStealer malware, namely pyobftoexe, pyobfusfile, pyobfexecute, pyobfpremium, pyobflite, pyobfadvance, pyobfuse, and pyobfgood.

Advertisement. Scroll to continue reading.

The majority of those who downloaded these packages, the security firm says, are in the US (69%). China (12%), Russia (5.5%), and Ireland (3%) were also impacted.

The pivotal role open source software plays in software development makes it an attractive target to attackers, especially developers who work with valuable or sensitive information that requires obfuscation, who have been the main target of this malicious campaign.

“The open source domain remains a fertile ground for innovation, but it demands caution. Developers must remain vigilant, and vet the packages prior to consumption,” Checkmarx notes.

Related: Malicious NuGet Packages Abuse MSBuild Integrations for Code Execution

Related: Malicious NPM, PyPI Packages Stealing User Information

Related: PyPI Enforcing 2FA for All Project Maintainers to Boost Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.