Malware disguised as developer tools

Three signs of common scams

An insidious threat: Malware disguised as developer tools

It’s a familiar refrain: Modern cyber attacks are more sophisticated than ever before. But rarely has an attack fit the bill as well as ‘BlazeStealer,’ a string of malicious Python packages that present as benign code obfuscation tools — a standard best practice for organizations tasked with protecting the privacy of the data their developers work with.

While using data protection tools should deter attackers, it sometimes has the opposite effect. Because the data protected by code obfuscation is often highly valuable, attackers are more motivated to find ways of infiltrating these tools — even creating malicious versions and marketing them to unsuspecting users.

In a recent case, downloading these seemingly innocuous code obfuscation packages automatically triggered malware that allowed attackers to take full control of their targets’ devices, steal passwords, and encrypt and download sensitive data. By the time BlazeStealer was detected and removed, it had been downloaded almost 2,500 times across North America, Asia, and Europe, compromising the protected information of thousands of organizations in the process.

While the BlazeStealer malware no longer presents a threat, thousands of other developer tools have been similarly targeted as attackers exploit open-source repositories, prey on developer trust, and infiltrate unsuspecting organizations. Keep reading to find out why attackers are using application development as an entry point and how to identify malicious activity within the tools your engineers are using.

How attackers target developer tools (and why they’re unlikely to stop)

Developers are uniquely positioned within an organization. Their access to development infrastructure and internal systems makes them a high-value target for attackers, who may compromise that access through the use of malware and other sophisticated schemes — putting your organization’s data, operations, and revenue at risk. Consider these recent attacks:

• GitHub, a popular developer platform, was flooded with millions of infected code repositories aimed at compromising developer devices, obtaining user credentials, and stealing cryptocurrency.

• In an attempt credited to the North Korean hacker group, Lazarus, attackers exploited user typos to misdirect developers into downloading thousands of malicious Python packages.

• Similar attacks concealed malware in test files, which may have originated from coding tests given to freelancers or job seekers.

Identifying and mitigating malware is often difficult to do at scale, since attackers can duplicate and upload malicious packages faster than developer platforms and software supply chain providers can remove them. And some developers may fail to properly vet third-party software altogether; in one study, users obtained deprecated JavaScript packages (i.e. packages with known vulnerabilities) at a rate of 2.1 billion downloads per week.

The ripple effects of these attacks — whether the result of malicious software concealed in open-source repositories, scams, or simple negligence — can extend far beyond their initial impact on application and web development. When successfully implanted, malware can quickly spread within an organization’s infrastructure and systems, steal their internal data, compromise protected customer information, disrupt business operations (or even the products you ship), and diminish both revenue and brand reputation.

3 telltale signs of sophisticated developer scams

Defending against these threats requires a proactive approach, including running regular security scans, establishing strict policies around the use of third-party code repositories and developer tools, and informing developers of evolving attack methods.

Here are three signs of common scams — and best practices organizations can implement to help reduce the risk of attack:

1. Typos may disguise malware-infected packages.

Also known as ‘typosquatting,’ this technique tricks users into downloading malicious packages that share similar names with popular software packages. A simple, undetected typo can set off malware deployment once the user has installed the compromised package, enabling attackers to carry out further actions.

Preventing attacks like these requires developers to carefully examine the names of packages before proceeding with the downloading and installation process — even when the package comes from a trusted source.

2. Trusted packages may conceal malicious updates.

Even packages that have already been vetted for suspicious content and vulnerabilities may become compromised during future updates, triggering attacks when they are least expected. But, manually checking every package update can slow down necessary security updates, pull focus from other development initiatives, and be expensive and time-consuming to carry out on a regular basis.

Avoiding malicious updates like these may involve a number of techniques, from prioritizing critical security updates to using automated tools to help scan packages for new vulnerabilities.

3. Developer security tools and utility packages may be a front for malicious activity.

Like the code obfuscation tools that disguised BlazeStealer malware, other developer security tools and utility packages (even something as unassuming as an email validation tool) may initiate a chain of unexpected malicious actions. If successful, attackers may gain access to protected credentials, data, developer systems, and production infrastructure, allowing them to rapidly expand their attack surface.

Stopping attacks like these is not quite as simple as manually inspecting open-source packages or deploying certain automation services to proactively scan for vulnerabilities. While developers may be the target of these attacks, it is up to organizations to adopt a security-first mindset: one that assumes risk even when using trusted repositories and tools.

Mitigate sophisticated developer attacks

With the proliferation of open-source repositories and organizations' increased reliance on them, attackers are finding more effective and sophisticated ways to infiltrate developer systems. That makes implementing a robust threat detection and response strategy more crucial than ever before.

Cloudflare’s unified, intelligent platform helps organizations secure their infrastructure and data from emerging threats and enforce strict data controls. With Cloudflare, organizations can:

• Minimize exposure and theft of sensitive data: Scan for source code in transit (via HTTP inspection) and prevent unauthorized uploads to risky AI tools and open source repositories.

• Monitor potential risks in public repositories: Detect a variety of data loss, account misconfiguration, and user security risks when using public repositories, like GitHub.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Dive deeper into this topic.

Get the Everywhere Security: Protecting modern organizations from threats without stifling innovation ebook to learn how Cloudflare helps organizations protect their development environments against complex and evolving threats.
Get the ebook!

Key takeaways

After reading this article you will be able to understand:

• Why open-source repositories are a breeding ground for malware

• How attackers target developer tools and ecosystems

• Strategies to spot — and stop — sophisticated scams

Related resources

• Everywhere security for every phase of the attack lifecycle

• Simplifying the way we protect SaaS applications

• Infographic: How modern coding, AI, and cloud impact your data protection strategy