Malicious Python packages containing the BlazeStealer malware have been discovered on the Python Package Index (PyPI) repository. Disguised as obfuscation tools, these packages install a Discord bot that gives attackers complete control over compromised developer systems. The malware can steal sensitive information, execute commands, encrypt files, and even render the computer unusable. The rogue packages were downloaded over 2,400 times before being taken down, with the majority of downloads originating from the U.S. Developers are advised to remain vigilant and thoroughly vet packages before use.
The npm registry for Node.js is vulnerable to a manifest confusion attack, allowing threat actors to hide malware in project dependencies or execute arbitrary scripts during installation. The issue arises from the decoupling of the manifest and package metadata, leading to unexpected behavior and misuse. This loophole can be exploited to publish modules with hidden dependencies and run install scripts, potentially leading to supply chain attacks. Users are advised to scan packages for anomalies and exploits, as relying solely on metadata is insufficient. GitHub is aware of the problem but has yet to resolve it. Insecure dependencies were also found in a study of GitHub repositories, highlighting the ongoing threat to software supply chains.
