Researchers Uncover Malicious PyPI Package deal Posing as SentinelOne SDK to Steal Information

Deal Score0
Deal Score0

Dec 19, 2022Ravie LakshmananSoftware program Safety / Provide Chain

Cybersecurity researchers have found a brand new malicious bundle on the Python Package deal Index (PyPI) repository that impersonates a software program improvement equipment (SDK) for SentinelOne, a significant cybersecurity firm, as a part of a marketing campaign dubbed SentinelSneak.

The bundle, named SentinelOne and now taken down, is claimed to have been revealed between December 8 and 11, 2022, with almost two dozen variations pushed in fast succession over a interval of two days.

It claims to supply a better methodology to entry the company’s APIs, however harbors a malicious backdoor that is engineered to amass delicate info from improvement methods, together with entry credentials, SSH keys, and configuration knowledge.

What’s extra, the menace actor has additionally been noticed releasing two extra packages with related naming variations – SentinelOne-sdk and SentinelOneSDK – underscoring the continued threats lurking in open supply repositories.


“The SentinelOne imposter bundle is simply the newest menace to leverage the PyPI repository and underscores the rising menace to software program provide chains, as malicious actors use methods like ‘typosquatting’ to take advantage of developer confusion and push malicious code into improvement pipelines and legit purposes,” ReversingLabs menace researcher Karlo Zanki said in a report shared with The Hacker Information.

What’s notable in regards to the fraudulent bundle is it mimics a legitimate SDK that is supplied by SentinelOne to its clients, doubtlessly tricking builders into downloading the module from PyPI.

Malicious PyPI package

The software program provide chain safety firm famous that the SDK shopper code could have been “seemingly obtained from the corporate by the use of a authentic buyer account.”

Among the knowledge exfiltrated by the malware to a distant server embody shell command execution historical past, SSH keys, and different information of curiosity, indicating an try on the a part of the menace actor to siphon delicate info from improvement environments.

It is not instantly clear if the bundle was weaponized as a part of an energetic provide chain assault, though it has been downloaded greater than 1,000 occasions previous to its elimination.

The findings come as ReversingLabs’ State of Software program Provide Chain Safety report found that the PyPI repository has witnessed an almost 60% lower in malicious bundle uploads in 2022, dropping to 1,493 packages from 3,685 in 2021.

Quite the opposite, the npm JavaScript repository noticed a 40% enhance to almost 7,000, making it the “greatest playground for malicious actors.” In all, rogue bundle traits since 2020 have exhibited a 100 occasions rise in npm and greater than 18,000% in PyPI.

“Although small in scope and of little impression, this marketing campaign is a reminder to improvement organizations of the persistence of software program provide chain threats,” Zanki mentioned. “As with earlier malicious campaigns, this one performs on tried and true social engineering ways to confuse and mislead builders into downloading a malicious module.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

We will be happy to hear your thoughts

Leave a reply
Enable registration in settings - general