Cybersecurity experts have uncovered a malicious package on the Python Package Index (PyPI) repository that can extract sensitive developer-related data, such as credentials, configuration information, and environment variables.
The package, known as chimera-sandbox-extensions, received 143 downloads and appears to have targeted users of a service called Chimera Sandbox, released by Singaporean tech company Grab to aid in the “experimentation and development of [machine learning] solutions.”
Although the package pretends to be a helper module for Chimera Sandbox, it actually “seeks to steal credentials and other sensitive data like Jamf configuration, CI/CD environment variables, AWS tokens, and more,” according to JFrog security researcher Guy Korolevski.
Once installed, the package tries to connect to an external domain generated using a domain generation algorithm (DGA) to download and execute a subsequent payload.
The malware is capable of collecting various data from infected systems, including JAMF receipts, Pod sandbox environment authentication tokens, CI/CD details from environment variables, Zscaler host configuration, Amazon Web Services account information, public IP address, general platform, user, and host information.
The type of data gathered by the malware suggests a focus on corporate and cloud infrastructure, with the inclusion of JAMF receipts indicating potential targeting of Apple macOS systems.
The stolen data is sent back to the same domain via a POST request, where the server determines if the machine is a viable target for further exploitation. However, JFrog was unable to retrieve the payload during analysis.
Jonathan Sar Shalom, director of threat research at JFrog Security Research team, highlighted the targeted nature of this malware and the sophistication of its multi-stage payload, emphasizing the need for vigilance and proactive security measures to combat evolving threats.
This revelation coincides with reports from SafeDep and Veracode detailing several malware-infected npm packages designed to execute remote code and download additional payloads. The affected packages include eslint-config-airbnb-compat, ts-runtime-compat-check, solders, and @mediawave/lib.
Although these npm packages have been removed from the registry, they were downloaded numerous times before being taken down.
SafeDep’s analysis of eslint-config-airbnb-compat revealed a multi-stage remote code execution attack utilizing a transitive dependency to conceal the malicious code. Similarly, Solders incorporated a post-install script that automatically executed the malicious code upon installation.
Veracode’s Threat Research team highlighted the use of Unicode characters and dynamic code generation in Solders to obfuscate the malicious code, ultimately leading to the execution of a PowerShell command to fetch a next-stage payload.
The complexity of these malware delivery mechanisms, as observed in the Veracode analysis, underscores the malicious intent behind these attacks and the lengths to which threat actors will go to evade detection.
Additionally, the report from Socket identified various threats targeting the cryptocurrency and blockchain development ecosystem, including credential stealers, cryptocurrency drainers, cryptojackers, and clippers.
Some examples of these threats include express-dompurify, pumptoolforvolumeandcomment, bs58js, lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, each with specific capabilities to compromise system security and steal cryptocurrency-related data.
As the Web3 development landscape expands, threat actors are adapting their tactics to exploit vulnerabilities in the software supply chain, particularly targeting high-value blockchain projects.
AI and Slopsquatting
The emergence of AI-assisted coding has introduced a new threat known as slopsquatting, where large language models (LLMs) generate plausible but nonexistent package names that can be exploited by malicious actors for supply chain attacks.
Trend Micro documented an instance where an advanced agent created a phantom Python package called starlette-reverse-proxy, highlighting the potential security risks associated with such generated names if uploaded to a public repository.
While advanced coding agents and workflows can mitigate the risk of slopsquatting, there remains a potential for malicious actors to exploit phantom suggestions and register them on public registries for malicious purposes.
Sean Park, a security researcher at Trend Micro, emphasized the need for caution when using AI-generated package names to prevent such supply chain attacks.
