On Monday, researchers from ReversingLabs uncovered the latest instance of a malicious Python Package Index (PyPI) package impersonating a valid package. This now-removed package, called “SentinelOne”, contained the full functionality of SentinelOne’s software development kit (SDK), but also sought and exfiltrated developer-related information, such as AWS and Kube configuration data, SSH keys, and git-related information. The same threat actor also had multiple similarly-named packages without the malicious payload included. The “SentinelOne” package was uploaded 11 December, and had been updated multiple times until its final release on 13 December. In general, malicious PyPI packages have gone down in number since last year, but are still a significant threat to developers.
When developing tools, it can be easy to simply fall back on repositories to source libraries and packages to quickly fill gaps and reduce workload. However, especially when interfacing with commercial software, it is considered good practice to refer to documentation to identify approved sources for libraries and packages. For example, SentinelOne’s Frequently Asked Questions page reports that their SDK is available “directly from the Management console,” and not from any centralized repository like PyPI. As a secondary measure, developers and analysts can look at the initial upload date of packages, age of the account maintaining the package, and make cursory searches for potentially malicious content, such as hard-coded IP addresses, in any scripts.