Cybersecurity researchers at ReversingLabs have discovered a new malicious package, named ‘SentinelOne,’ on the Python Package Index (PyPI) repository that impersonates a legitimate software development kit (SDK) for SentinelOne.
The package, SentinelOne has no connection to the noted threat detection firm of the same name and was first uploaded to PyPI, the Python Package Index, on Dec 11, 2022.
The package appears to be a fully functional SentinelOne client, but contains a malicious backdoor, according to ReversingLabs threat researcher Karlo Zanki. The malicious functionality in the library does not execute upon installation, but waits to be called on programmatically before activating – a possible effort to avoid detection. We are calling this campaign “SentinelSneak.”
The backdoor was designed to exfiltrate data specific to development environments, such as shell command execution history and the contents of the SSH folder, which stores SSH keys and configuration information, including login credentials for Git, Kubernetes, and AWS services.
The malware also lists folders in the root directory and sends all collected data to the command-and-control (C&C) server.
The fake ‘SentinelOne’ package contains “api.py files that contains the code to steal and exfiltrate data uploading it to the IP address 54[.]254[.]189[.]27).
Threat actors published five additional malicious packages with a similar name, these modules did not contain api.py files with malicious functionality, a circumstance that suggests they were used for testing purposes.
The ReversingLabs research team is continuously monitoring open-source package repositories for instances of malicious code
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment