SentinelOne SDK-impersonating PyPi package leveraged in supply chain attack

SecurityWeek reports that a malicious PyPi package masquerading as a SentinelOne software development kit is being used in a new supply chain attack aimed at distributing a backdoor code for data theft. ReversingLabs researchers discovered that malicious code has been embedded within two api.py files alone, with the backdoor aimed at exfiltrating shell command execution history and SSH folder contents, including SSH keys and configuration data such as AWS, Git, and Kubernetes credentials. Root directory folders are also being listed by the malware, which delivers the collected information to the attackers' command-and-control server. "The malicious code appears designed to siphon sensitive information from development environments. Based on our analysis of the malware and the associated C&C infrastructure, it is unclear if this package was or is being used in active attacks against development environments, due to a lack of evidence found. The download stats suggest that the package has been downloaded more than 1,000 times," said ReversingLabs.