Cybersecurity researchers have unveiled a malicious package on the Python Package Index (PyPI) that can effectively steal sensitive information from developers. The offending package, named chimera-sandbox-extensions, has garnered 143 downloads and is likely aimed at users of a service known as Chimera Sandbox, released by Grab, a tech company based in Singapore, last August. This service serves as a platform for "experimentation and development of machine learning solutions."
While it masquerades as a helper module for Chimera Sandbox, the package’s real purpose is to exfiltrate credentials and sensitive data, including Jamf configuration, CI/CD environment variables, and AWS tokens, according to JFrog security researcher Guy Korolevski.
Upon installation, the malware uses a domain generation algorithm (DGA) to connect to an external domain, where it downloads and executes a secondary payload. Specifically, it retrieves an authentication token from this remote location, allowing it to access an information-stealing module designed to siphon a variety of data, including:
- JAMF receipts documenting software installed through Jamf Pro
- Authentication tokens for pod sandbox environments and git repositories
- CI/CD information from environment variables
- Configuration data for Zscaler hosts
- AWS account information and tokens
- Public IP address details
- General platform and user data
The nature of the information being targeted indicates that the malware is primarily focused on corporate and cloud infrastructures. Its ability to extract JAMF receipts also suggests that it can target macOS systems.
Once the data is collected, it is sent back to the same external domain via a POST request. The server then determines whether the compromised system is a viable target for further exploitation. Unfortunately, JFrog was unable to acquire the secondary payload during their analysis.
Jonathan Sar Shalom, the director of threat research at JFrog, pointed out that the targeted approach and the complexity of the malware’s multi-stage payload distinguish it from more common open-source malware threats encountered in previous incidents.
This incident follows revelations from SafeDep and Veracode regarding several npm packages also laced with malware. These packages were designed to execute remote code and fetch additional payloads, further underscoring the importance of vigilance and proactive security measures in software development.
Among the identified npm packages are:
eslint-config-airbnb-compatts-runtime-compat-checksolders@mediawave/lib
Each of these packages was promptly removed from npm after being downloaded numerous times. Investigation into eslint-config-airbnb-compat uncovered that it includes a dependency that contacts an external server to execute a Base64-encoded string, initiating a multi-stage remote code execution attack.
In another case, the solders package was found to have a post-installation script that executes its malicious code immediately upon installation.
The JavaScript contained a degree of obfuscation, utilizing Unicode characters as variable names, further complicating detection efforts. Once fully decoded, it revealed an attempt to ascertain whether the compromised machine was running Windows. If so, it executed a PowerShell command to download a subsequent payload.
This second-layer script was designed to fetch a Windows batch script from another domain and configure Windows Defender to avoid detection, paving the way for the launch of a .NET DLL. This complex strategy illustrates the lengths that attackers will go to conceal their payloads, highlighting the dynamic and evolving landscape of cyber threats.
As the cybersecurity landscape continues to evolve, so too do the tactics of financially motivated threat actors and state-sponsored groups, targeting the software supply chain with increasingly sophisticated attacks. This development emphasizes the necessity for ongoing updates, adaptive security measures, and research into emerging threats to maintain software integrity and protect sensitive information in development environments.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.