Cybersecurity researchers have found out a malicious package deal at the Python Bundle Index (PyPI) repository that goals Apple macOS programs with the purpose of stealing customers’ Google Cloud credentials from a slim pool of sufferers.
The package deal, named “lr-utils-lib,” attracted a complete of 59 downloads sooner than it was once taken down. It was once uploaded to the registry in early June 2024.
“The malware makes use of an inventory of predefined hashes to focus on particular macOS machines and makes an attempt to reap Google Cloud authentication information,” Checkmarx researcher Yehuda Gelb mentioned in a Friday document. “The harvested credentials are despatched to a far flung server.”
A very powerful side of the package deal is that it first tests if it’s been put in on a macOS machine, and best then proceeds to match the machine’s Universally Distinctive Identifier (UUID) towards a hard-coded listing of 64 hashes.
If the compromised system is amongst the ones specified within the predefined set, it makes an attempt to get admission to two recordsdata, particularly application_default_credentials.json and credentials.db, positioned within the ~/.config/gcloud listing, which comprise Google Cloud authentication information.
The captured knowledge is then transmitted over HTTP to a far flung server “europe-west2-workload-422915[.]cloudfunctions[.]internet.”
Checkmarx mentioned it additionally discovered a faux profile on LinkedIn with the title “Lucid Zenith” that matched the package deal’s proprietor and falsely claimed to be the CEO of Apex Corporations, suggesting a imaginable social engineering part to the assault.
Precisely who’s in the back of the marketing campaign is lately no longer identified. Alternatively, it comes greater than two months after cybersecurity company Phylum disclosed main points of every other provide chain assault involving a Python package deal known as “requests-darwin-lite” that was once additionally discovered to unharness its malicious movements after checking the UUID of the macOS host.
Those campaigns are an indication that danger actors have prior wisdom of the macOS programs they need to infiltrate and are going to nice lengths to make certain that the malicious programs are disbursed best to these specific machines.
It additionally speaks to the ways malicious actors make use of to distribute lookalike programs, aiming to lie to builders into incorporating them into their packages.
“Whilst it isn’t transparent whether or not this assault focused folks or enterprises, these types of assaults can considerably have an effect on enterprises,” Gelb mentioned. “Whilst the preliminary compromise in most cases happens on a person developer’s system, the results for enterprises may also be really extensive.”