Connect with us

Hi, what are you looking for?



Malicious PyPI Module Poses as SentinelOne SDK

Security researchers with ReversingLabs warn of a new supply chain attack using a malicious PyPI module that poses as a software development kit (SDK) from the cybersecurity firm SentinelOne.

Security researchers with ReversingLabs warn of a new supply chain attack using a malicious PyPI module that poses as a software development kit (SDK) from the cybersecurity firm SentinelOne.

The Python package was first uploaded on December 11 and received roughly 20 updates within the next two days. The module is completely unrelated to the legitimate threat detection firm, but abuses its brand reputation to attract unsuspecting victims.

Seemingly a fully-functional SentinelOne client – the malicious SDK appears built on top of legitimate SentinelOne code – the package contains backdoor code meant for data theft.

“This PyPI package is intended to serve as an SDK to abstract the access to SentinelOne’s APIs and make programmatic consumption of the APIs simpler,” ReversingLabs, which calls the attack ‘SentinelSneak’, notes.

The malicious package contains two files that engage in suspicious behavior such as enumerating files in a directory, executing a file, deleting a file/directory, and spawning a new process.

An analysis of the updates that the package received over the course of two days showed that only files were modified. These are the only package modules to contain the malicious code.

The backdoor was designed to exfiltrate data specific to development environments, such as shell command execution history and the contents of the SSH folder, which stores SSH keys and configuration information, including login credentials for Git, Kubernetes, and AWS services.

The malware also lists folders in the root directory and sends all collected data to the command-and-control (C&C) server.

Advertisement. Scroll to continue reading.

The modifications made to the package show that the attackers attempted to adapt to targets by fine-tuning the backdoor to better work on multiple operating systems.

ReversingLabs says it observed five additional packages with similar naming variations, but those did not contain files with malicious functionality. These packages were seen prior to December 11 and were likely meant for testing purposes.

“The malicious code appears designed to siphon sensitive information from development environments. Based on our analysis of the malware and the associated C&C infrastructure, it is unclear if this package was or is being used in active attacks against development environments, due to a lack of evidence found. The download stats suggest that the package has been downloaded more than 1,000 times,” ReversingLabs warns.

Related: Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware

Related: Security Firms Find Over 20 Malicious PyPI Packages Designed for Data Theft

Related: New OpenSSF Project Hunts for Malicious Packages in Open Source Repositories

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights