Security News > 2022 > December > Researchers Discover Malicious PyPI Package Posing as SentinelOne SDK to Steal Data

Cybersecurity researchers have discovered a new malicious package on the Python Package Index repository that impersonates a software development kit for SentinelOne, a major cybersecurity company, as part of a campaign dubbed SentinelSneak.

"The SentinelOne imposter package is just the latest threat to leverage the PyPI repository and underscores the growing threat to software supply chains, as malicious actors use strategies like 'typosquatting' to exploit developer confusion and push malicious code into development pipelines and legitimate applications," ReversingLabs threat researcher Karlo Zanki said in a report shared with The Hacker News.

What's notable about the fraudulent package is it mimics a legitimate SDK that's offered by SentinelOne to its customers, potentially tricking developers into downloading the module from PyPI. The software supply chain security company noted that the SDK client code may have been "Likely obtained from the company by way of a legitimate customer account."

The findings come as ReversingLabs' State of Software Supply Chain Security report found that the PyPI repository has witnessed a nearly 60% decrease in malicious package uploads in 2022, dropping to 1,493 packages from 3,685 in 2021.

On the contrary, the npm JavaScript repository saw a 40% increase to nearly 7,000, making it the "Biggest playground for malicious actors." In all, rogue package trends since 2020 have exhibited a 100 times rise in npm and more than 18,000% in PyPI. "Though small in scope and of little impact, this campaign is a reminder to development organizations of the persistence of software supply chain threats," Zanki said.

"As with previous malicious campaigns, this one plays on tried and true social engineering tactics to confuse and mislead developers into downloading a malicious module."

News URL

https://thehackernews.com/2022/12/researchers-discover-malicious-pypi.html