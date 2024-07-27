Cybersecurity researchers have discovery a malicious package in the Python Package Index (PyPI) repository that targets Apple macOS systems with the goal of stealing users’ Google Cloud credentials from a select group of victims.

It should be noted that historically macOS operating systems (as well as Linux) have always been considered more secure than Windows, but this statement is less and less true with each passing year, especially due to the spread of the main competitors of the window operating system.

What is the malicious Python (PyPI) package that “ruins” macOS systems and what does it do?

The Python (PyPI) package in question, called “lr-utils-lib,” recorded a total of 59 download before being removed; This PyPI package was uploaded to the registry in early June 2024.

“The malware uses a list of predefined hashes to target specific macOS machines and attempts to collect Google Cloud authentication data.“, has declared Yehuda Gelb, a researcher at Checkmarx, in a report on Friday. “The collected credentials are sent to a remote server.“

An important aspect of the PyPI package is that it first checks whether it has been installed on a macOS system, and only if so, it proceeds to compare the system’s Universally Unique Identifier (UUID) against an encoded list of 64 hashes.

If the compromised machine is among those specified in the default set, it attempts to access two files, namely application_default_credentials.json and credentials.db, located in the ~/.config/gcloud directory, which contain Google Cloud authentication data.

part of the source code of the malicious Python Package Index (PyPI) package (repository)

The captured information is then transmitted via HTTP to a remote server “europe-west2-workload-422915[.]cloudfunctions[.]net.“

Checkmarx said it also found a fake LinkedIn profile with the name “Lucid Zenith” that matched the owner of the package and falsely claimed to be the CEO of Apex Companies, suggesting a possible social engineering element to the attack.

It is currently unknown who is behind this campaign; however, it comes more than two months after cybersecurity firm Phylum disclosed details of another supply chain attack involving a Python package called “requests-darwin-lite” that was found to activate its malicious actions after verifying the macOS host UUID.

These campaigns are a sign that cybercriminals They have prior knowledge of the macOS systems they want to infiltrate and are making great efforts to ensure that malicious packages are only distributed to those particular machines..

This also highlights the tactics used by cybercriminals to distribute similar packages, aiming to trick developers into incorporating them into their applications.

“While it is unclear whether this attack targeted individuals or businesses, these types of attacks can have a significant impact on businesses.“, Gelb said. “While the initial compromise usually occurs on a single developer’s computer, the implications for businesses can be substantial..”

Why are Python packages from the Python Package Index (PyPI) used for this type of attack?

The Python Package Index (PyPI) is a large repository of Python packages widely used by developers and companies to quickly integrate functionality into their applications; this popularity makes PyPI an attractive target for cybercriminals, as a compromised package can easily reach a large audience of users.

The relative ease with which anyone can publish packages to PyPI without rigorous review allows attackers to infiltrate the repository with malicious code.

This approach allows to hit specific targets in a discrete way, exploiting the habit of developers to trust the packages available on PyPI and to integrate them into their solutions without a deep examination of the source code; moreover, Malicious packets can be disguised with names similar to legitimate onesfurther deceiving developers and increasing the likelihood of successful attacks