Security News > 2022 > December > Malicious ‘SentinelOne’ PyPI package steals data from developers
Threat actors have published a malicious Python package on PyPI, named 'SentinelOne,' that pretends to be the legitimate SDK client for the trusted American cybersecurity firm but, in reality, steals data from developers.
The attack was discovered by ReversingLabs, which confirmed the malicious functionality and reported the package to SentinelOne and PyPi, leading to the removal of the package.
The malicious SentinelOne package was uploaded to PyPI for the first time on December 11, 2022, and has been updated twenty times since then.
According to the researchers, the package is believed to be a copy of the actual SentinelOne SDK python client, and the threat actor performed the updates to improve and fix the malicious functionality of the package.
Upon further analysis, ReversingLabs found that the bogus 'SentinelOne' package contains "Api.py" files with malicious code that steals and uploads data to the IP address, which does not belong to SentinelOne's infrastructure.
All the published versions of the malicious information-stealing malware package have been downloaded over 1,000 times on PyPI. From the collected evidence, ReversingLabs researchers couldn't determine if the package has been used in actual attacks yet.