Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malicious PyPI Module Poses as SentinelOne SDK

Security researchers with ReversingLabs warn of a new supply chain attack using a malicious PyPI module that poses as a software development kit (SDK) from the cybersecurity firm SentinelOne.

Security researchers with ReversingLabs warn of a new supply chain attack using a malicious PyPI module that poses as a software development kit (SDK) from the cybersecurity firm SentinelOne.

The Python package was first uploaded on December 11 and received roughly 20 updates within the next two days. The module is completely unrelated to the legitimate threat detection firm, but abuses its brand reputation to attract unsuspecting victims.

Seemingly a fully-functional SentinelOne client – the malicious SDK appears built on top of legitimate SentinelOne code – the package contains backdoor code meant for data theft.

“This PyPI package is intended to serve as an SDK to abstract the access to SentinelOne’s APIs and make programmatic consumption of the APIs simpler,” ReversingLabs, which calls the attack ‘SentinelSneak’, notes.

The malicious package contains two api.py files that engage in suspicious behavior such as enumerating files in a directory, executing a file, deleting a file/directory, and spawning a new process.

An analysis of the updates that the package received over the course of two days showed that only api.py files were modified. These are the only package modules to contain the malicious code.

Advertisement. Scroll to continue reading.

The backdoor was designed to exfiltrate data specific to development environments, such as shell command execution history and the contents of the SSH folder, which stores SSH keys and configuration information, including login credentials for Git, Kubernetes, and AWS services.

The malware also lists folders in the root directory and sends all collected data to the command-and-control (C&C) server.

The modifications made to the package show that the attackers attempted to adapt to targets by fine-tuning the backdoor to better work on multiple operating systems.

ReversingLabs says it observed five additional packages with similar naming variations, but those did not contain api.py files with malicious functionality. These packages were seen prior to December 11 and were likely meant for testing purposes.

“The malicious code appears designed to siphon sensitive information from development environments. Based on our analysis of the malware and the associated C&C infrastructure, it is unclear if this package was or is being used in active attacks against development environments, due to a lack of evidence found. The download stats suggest that the package has been downloaded more than 1,000 times,” ReversingLabs warns.

Related: Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware

Related: Security Firms Find Over 20 Malicious PyPI Packages Designed for Data Theft

Related: New OpenSSF Project Hunts for Malicious Packages in Open Source Repositories

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.