Malicious PyPI package found posing as a SentinelOne SDK

[theregister.com] 1 month ago

Threat researchers have found a rapidly updated malicious Python package on PyPI masquerading as a legitimate software-development kit (SDK) from cybersecurity firm SentinelOne, but actually contains malware designed to exfiltrate data from infected systems.

The package, which carried the name SentinelOne and has since been taken down, was uploaded to the Python Package Index – an online index of packages for Python developers – on December 11 and over two days was updated 20 times.

It promised a simpler way to access and consume SentinelOne's APIs but included backdoor malware that enabled it to steal sensitive information from developers' systems, including SSH keys, credentials, configuration and host files, and configuration information from Amazon Web Services and Kubernetes .

"The package appears to be a fully functional SentinelOne client, but contains a malicious backdoor," ReversingLabs threat researcher Karlo Zanki wrote in a report this week. "The malicious functionality in the library does not execute upon installation, but waits to be called on programmatically before activating – a possible effort to avoid detection."

ReversingLabs dubbed the campaign "SentinelSneak" and said it was the latest example of software supply chain threats from cybercriminals abusing open-source package repositories like PyPI, npm, Ruby, GitHub, and NuGet to push malicious code.

Hiding within the repository by leveraging the name of a legitimate company is a way of evading detection. In this case, the attackers apparently had gotten hold of legitimate SentinelOne SDK client code and built the backdoor and info-stealing capabilities on top of it.

"It appears that the malicious actor(s) behind the SentinelOne PyPI package are attempting to draft on SentinelOne's strong brand recognition and reputation," Zanki wrote.

ReversingLabs sniffed out the malicious package by spotting interesting behavior two api.py files, including code that stole data and uploaded it to an IP address that didn't belong to SentinelOne.

Zanki wrote that it was unclear if the malware and command-and-control (C2) system were used in active attacks, but added that that package was downloaded more than 1,000 times before it was shut down and removed.

"Though small in scope, this campaign is a reminder to development organizations of the persistence of software supply chain threats," he wrote. "As with prior malicious open source supply chain campaigns, this one attempts to exploit confusion on the part of developers to push malicious code into development pipelines."

A recent report by ReversingLabs on software supply chain security found that miscreants continue to target package repositories. While there have been 60 percent fewer malicious package uploads year-over-year in 2022 – 1,493 this year – there were only eight such packages found in 2020. In contrast, there was more activity this year in the npm JavaScript repository, which had about 7,000 uploads, a 40 percent increase.

However, cybersecurity firm Phylum in November noted a campaign distributing the W4SP info-stealing malware through PyPI packages and last week issued a report of an additional 47 packages published on PyPI containing W4SP.

In addition, PyPI in August warned about the first known phishing attack against developers using the index.

Zanki wrote that development organizations need to expand training and awareness programs to keep developers from falling for such impersonation attacks as typosquatting.

The SentinelSneak campaign "also highlights the need for tools and processes to ensure that any open source or proprietary code is evaluated for the presence of suspicious or malicious indicators including hidden (obfuscated) functionality, unexplained communications with third party infrastructure and more," he wrote. ®