Malicious PyPI package found posing as a SentinelOne SDK

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Threat researchers have found a rapidly updated malicious Python package on PyPI masquerading as a legitimate software-development kit (SDK) from cybersecurity firm SentinelOne, but actually contains malware designed to exfiltrate data from infected systems.

The package, which carried the name SentinelOne and has since been taken down, was uploaded to the Python Package Index – an online index of packages for Python developers – on December 11 and over two days was updated 20 times. It promised a simpler way to access and consume SentinelOne's APIs but included backdoor malware that enabled it to steal sensitive information from developers' systems, including SSH keys, credentials, configuration and host files, and configuration information from Amazon Web Services and Kubernetes. "The package appears to be a fully functional SentinelOne client, but contains a malicious backdoor," ReversingLabs threat researcher Karlo Zanki wrote in a report this week. "The malicious functionality in the library does not execute upon installation, but waits to be called on programmatically before activating – a possible effort to avoid detection."

ReversingLabs dubbed the campaign "SentinelSneak" and said it was the latest example of software supply chain threats from cybercriminals abusing open-source package repositories like PyPI, npm, Ruby, GitHub, and NuGet to push malicious code. Hiding within the repository by leveraging the name of a legitimate company is a way of evading detection. In this case, the attackers apparently had gotten hold of legitimate SentinelOne SDK client code and built the backdoor and info-stealing capabilities on top of it.
 

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
In this case, the attackers apparently had gotten hold of legitimate SentinelOne SDK client code and built the backdoor and info-stealing capabilities on top of it.
likely another repo hack and then a malicious embed
the threat actors are able to leverage open source package hosting platforms such as pypl because they know there is easy unconditional access to upload, no verification of uploaded packages, and most importantly people that download and use these packages accept them as safe, exploitation of user nature
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top