Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that targets Apple macOS systems to steal Google Cloud user credentials from a narrow pool of victims.
A package called “lr-utils-lib” attracted a total 59 downloads before it was taken down. It was uploaded to the registry in early June 2024.
“The malware uses a list of predefined hashes to target specific macOS machines and attempts to collect Google Cloud authentication data,” Checkmarx researcher Yehuda Gelb. said in Friday’s report. “Collected credentials are sent to a remote server.”
An important aspect of the package is that it first checks if it has been installed on a macOS system before proceeding to compare the system’s Universally Unique Identifier (UUID) with a hard-coded list of 64 hashes.
If the compromised machine is among those specified in the predefined set, it tries to access two files, namely application_default_credentials.json and credentials.db, located in the ~/.config/gcloud directory, which contain Google Cloud credentials.
The resulting information is then transmitted via HTTP to the remote server “europe-west2-workload-422915(.)cloudfunctions(.)net”.
Checkmarx said it also found a fake LinkedIn profile with the name “Lucid Zenith” matching the owner of the package and falsely claiming to be the CEO of Apex Companies, suggesting a possible social engineering element to the attack.
Who exactly is behind the company is still unknown. However, this comes more than two months after cyber security company Phylum opened details another supply chain attack involving a Python package called “requests-darwin-lite”, which was also found to have released its malware after inspecting the UUID of the macOS host.
These campaigns are a sign that threat actors have prior knowledge of the macOS systems they want to infiltrate, and are working hard to ensure that malicious packages are only distributed to those specific machines.
It also speaks to the tactics attackers use to distribute similar packages to trick developers into including them in their applications.
“While it is unclear whether this attack targeted individuals or businesses, such attacks can have a significant impact on businesses,” Gelb said. “While the initial compromise typically occurs on an individual developer’s machine, the implications for businesses can be significant.”
