Targeted PyPi Package Steals Google Cloud Credentials From macOS Devs

  /     /     /  
Publicated : 23/11/2024   Category : security


Targeted PyPi Package Steals Google Cloud Credentials From macOS Devs


The campaign is laser-targeted, bucking the trend of spray-and-pray malicious open source packages turning up in code repositories seemingly every other day.



Researchers have come across a rather odd Python code package online that aims to steal Google Cloud Platform credentials from a very limited set of macOS victims.
The package, lr-utils-lib, was uploaded to the
Python Package Index (PyPi)
early in June, and conceals its malicious code in the setup file, Checkmarx
explained in a blog post
on July 26 — thus allowing it to execute right away upon installation. Then, the code checks that its running on a macOS system, and if so, checks the systems IOPlatformUUID, which is the value used to identify a particular Mac computer.
It turns out that the malware is highly targeted, only looking to infect a predetermined list of 64 specific machines. Further information about those machines, and the attacker targeting them, is unknown at this point, but its worth noting that the
packages name is very close to that of a legitimate package
called lr-utils, which is widely used in deep learning and neural networks applications, and to download large data sets. Dark Reading has sent a request for comment to Checkmarx to see if this could give a sense of the possible targets of the campaign.
In any event, from those machines, lr-utils-lib attempts to
exfiltrate Google Cloud Platform credentials
to a remote server, with the potential for follow-on attacks on cloud assets, including data theft, malware implantation, and the introduction of vulnerable components into the environment that can be exploited for lateral movement. As Ross Bryant, head of research at Phylum, explains, The risk is obvious. Anyone who has your digital credentials effectively has all your rights and privileges.
Another interesting aspect of the campaign involves social engineering. The package owner goes by the name Lucid Zenith, and apparently claims to be the CEO of a legitimate organization — Apex Companies LLC — on LinkedIn. There is also another LinkedIn profile belonging to the real CEO of the company, but the fake page is apparently so convincing that some AI platforms, including Perplexity, incorrectly stated that Lucid Zenith is the true CEO of the company, Checkmarx noted.
We queried various AI-powered search engines and chatbots to learn more about Lucid Zenith’s position, according to the post. What we found was a variety of inconsistent responses.
It added, This was quite shocking since the AI-powered search engine could have easily confirmed the fact by checking the official company page, or even noticing that there were two LinkedIn profiles claiming the same title.
Malicious packages are utterly commonplace, masquerading as legitimate and useful software components while hiding their true nature. And more often than not, that true nature
involves data theft
. And because open source software (OSS) is, by definition, open to anyone, its typically a good way to breach a wide variety of targets across regions.
This campaign stands out, Bryant explains, because OSS is being used in a highly targeted manner; however, there is limited precedent for the approach. For instance, the
malicious npm packages that we have seen associated with North Korean activity
appear to be highly targeted, he says. Each package has unique identifiers which we attribute to individual targets. Once the victim has been compromised, the attacker immediately unpublishes the package, leaving behind almost no trace. This has been effective enough to
steal billions of dollars worth of cryptocurrency
.
Dark Reading has reached out to Checkmarx for more information about lr-utils-lib, including its current status. At the time of writing, a search for it on PyPi yielded no results, but it can still threaten those who have already imported it into their projects.
To mitigate the risk that your organization unwittingly accepts one of these laser-targeted packages, Vigilance is required at every upgrade for every package and all its dependencies in an organizations software supply chain, says Bryant. Developers should also be wary of social engineering attacks that have been very effective lately.
For its part, Checkmarx stressed that critical thinking is an invaluable asset when it comes to defending against this kind of attack. Users should ensure they are installing packages from trusted sources and verify the contents of the setup scripts, according to the post. The associated fake LinkedIn profile and inconsistent handling of this false information by AI-powered search engines ... serves as a reminder of the limitations of AI-powered tools for information verification, drawing parallels to issues like package hallucinations. It underscores the critical need for strict vetting processes, multi-source verification, and fostering a culture of critical thinking.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Targeted PyPi Package Steals Google Cloud Credentials From macOS Devs