Cybersecurity researchers have found a malicious package deal on the Python Package deal Index (PyPI) repository that targets Apple macOS techniques with the objective of stealing customers’ Google Cloud credentials from a slim pool of victims.
The package deal, named “lr-utils-lib,” attracted a complete of 59 downloads earlier than it was taken down. It was uploaded to the registry in early June 2024.
“The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data,” Checkmarx researcher Yehuda Gelb stated in a Friday report. “The harvested credentials are sent to a remote server.”
An essential side of the package deal is that it first checks if it has been put in on a macOS system, and solely then proceeds to match the system’s Universally Distinctive Identifier (UUID) in opposition to a hard-coded checklist of 64 hashes.
If the compromised machine is amongst these specified within the predefined set, it makes an attempt to entry two recordsdata, particularly application_default_credentials.json and credentials.db, positioned within the ~/.config/gcloud listing, which include Google Cloud authentication information.
The captured info is then transmitted over HTTP to a distant server “europe-west2-workload-422915[.]cloudfunctions[.]net.”
Checkmarx stated it additionally discovered a faux profile on LinkedIn with the title “Lucid Zenith” that matched the package deal’s proprietor and falsely claimed to be the CEO of Apex Firms, suggesting a attainable social engineering ingredient to the assault.
Precisely who’s behind the marketing campaign is at present not identified. Nonetheless, it comes greater than two months after cybersecurity agency Phylum disclosed particulars of one other provide chain assault involving a Python package deal known as “requests-darwin-lite” that was additionally discovered to unleash its malicious actions after checking the UUID of the macOS host.
These campaigns are an indication that risk actors have prior data of the macOS techniques they need to infiltrate and are going to nice lengths to make sure that the malicious packages are distributed solely to these specific machines.
It additionally speaks to the ways malicious actors make use of to distribute lookalike packages, aiming to deceive builders into incorporating them into their functions.
“While it is not clear whether this attack targeted individuals or enterprises, these kinds of attacks can significantly impact enterprises,” Gelb stated. “While the initial compromise usually occurs on an individual developer’s machine, the implications for enterprises can be substantial.”
Author: information@thehackernews.com (The Hacker Information)
Date: 2024-07-27 01:47:00
