Cybersecurity researchers have found a malicious bundle on the Python Bundle Index (PyPI) repository that targets Apple macOS techniques with the objective of stealing customers’ Google Cloud credentials from a slender pool of victims.
The bundle, named “lr-utils-lib,” attracted a complete of 59 downloads earlier than it was taken down. It was uploaded to the registry in early June 2024.
“The malware makes use of a listing of predefined hashes to focus on particular macOS machines and makes an attempt to reap Google Cloud authentication knowledge,” Checkmarx researcher Yehuda Gelb stated in a Friday report. “The harvested credentials are despatched to a distant server.”
An essential side of the bundle is that it first checks if it has been put in on a macOS system, and solely then proceeds to check the system’s Universally Distinctive Identifier (UUID) towards a hard-coded checklist of 64 hashes.
If the compromised machine is amongst these specified within the predefined set, it makes an attempt to entry two recordsdata, particularly application_default_credentials.json and credentials.db, situated within the ~/.config/gcloud listing, which comprise Google Cloud authentication knowledge.
The captured data is then transmitted over HTTP to a distant server “europe-west2-workload-422915[.]cloudfunctions[.]internet.”
Checkmarx stated it additionally discovered a pretend profile on LinkedIn with the title “Lucid Zenith” that matched the bundle’s proprietor and falsely claimed to be the CEO of Apex Corporations, suggesting a attainable social engineering component to the assault.
Precisely who’s behind the marketing campaign is at present not identified. Nevertheless, it comes greater than two months after cybersecurity agency Phylum disclosed particulars of one other provide chain assault involving a Python bundle referred to as “requests-darwin-lite” that was additionally discovered to unleash its malicious actions after checking the UUID of the macOS host.
These campaigns are an indication that risk actors have prior information of the macOS techniques they wish to infiltrate and are going to nice lengths to make sure that the malicious packages are distributed solely to these explicit machines.
It additionally speaks to the techniques malicious actors make use of to distribute lookalike packages, aiming to deceive builders into incorporating them into their functions.
“Whereas it’s not clear whether or not this assault focused people or enterprises, these sorts of assaults can considerably affect enterprises,” Gelb stated. “Whereas the preliminary compromise normally happens on a person developer’s machine, the implications for enterprises may be substantial.”
