Highly invasive backdoor snuck into open source packages targets developers

Enlarge (credit: Getty Images)

Highly invasive malware targeting software developers is once again circulating in Trojanized code libraries, with the latest ones downloaded thousands of times in the last eight months, researchers said Wednesday.

Since January, eight separate developer tools have contained hidden payloads with various nefarious capabilities, security firm Checkmarx reported. The most recent one was released last month under the name “pyobfgood.” Like the seven packages that preceded it, pyobfgood posed as a legitimate obfuscation tool that developers could use to deter reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developer’s machine. Capabilities include:

• Exfiltrate detailed host information
• Steal passwords from the Chrome web browser
• Set up a keylogger
• Download files from the victim’s system
• Capture screenshots and record both screen and audio
• Render the computer inoperative by ramping up CPU usage, inserting a batch script in the startup directory to shut down the PC, or forcing a BSOD error with a Python script
• Encrypt files, potentially for ransom
• Deactivate Windows Defender and Task Manager
• Execute any command on the compromised host

In all, pyobfgood and the previous seven tools were installed 2,348 times. They targeted developers using the Python programming language. As obfuscators, the tools targeted Python developers with reason to keep their code secret because it had hidden capabilities, trade secrets, or otherwise sensitive functions. The malicious payloads varied from tool to tool, but they all were remarkable for their level of intrusiveness.