There's another malicious PyPl package - this one stealing data from developers

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Criminals have been found impersonating a well-known cybersecurity firm in an attempt to steal data from software developers, researchers have found.

Researchers from ReversingLabs recently discovered a malicious Python package on PyPI called “SentinelOne”. Named after a known cybersecurity company from the United States, the package pretends to be a legitimate SDK client allowing easy access to the SentinelOne API from within a separate project. 

However, the package also carries “api.py” files which hold the malicious code, and allow the threat actors to exfiltrate sensitive data from the developers to a third-party IP address (54.254.189.27).

Going after auth tokens and API keys

The data being stolen includes Bash and Zsh histories, SSH keys, .gitconfig files, hosts files, AWS configuration info, Kube configuration info, and others. As per the publication, these folders usually store auth tokens, secrets, and API keys, which would enable threat actors further access to target cloud services and server endpoints. 

The worst part is that the package does offer the functionality the developers expect. In reality, this is a hijacked package, meaning unsuspecting developers might end up using it and becoming victims in ignorance. The good news is that ReversingLabs confirmed the malicious intent of the package, and after reporting it to both SentinelOne and PyPI, had it removed from the repository.

In the days and weeks leading up to the removal, the malicious actors were quite active. The package was first uploaded to PyPI on December 11, and has been updated 20 times in less than 10 days. 

One of the issues that were fixed with an update was the inability to exfiltrate data from Linux systems, the researchers found.

It’s difficult to say if anyone fell for the scam, the researchers concluded, as there is no evidence the package got used in an actual attack. Still, all the published versions were downloaded more than 1,000 times. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.