Security News > 2022 > December > Malicious PyPI package found posing as a SentinelOne SDK

Threat researchers have found a rapidly updated malicious Python package on PyPI masquerading as a legitimate software-development kit from cybersecurity firm SentinelOne, but actually contains malware designed to exfiltrate data from infected systems.

The package, which carried the name SentinelOne and has since been taken down, was uploaded to the Python Package Index - an online index of packages for Python developers - on December 11 and over two days was updated 20 times.

"The package appears to be a fully functional SentinelOne client, but contains a malicious backdoor," ReversingLabs threat researcher Karlo Zanki wrote in a report this week.

ReversingLabs dubbed the campaign "SentinelSneak" and said it was the latest example of software supply chain threats from cybercriminals abusing open-source package repositories like PyPI, npm, Ruby, GitHub, and NuGet to push malicious code.

While there have been 60 percent fewer malicious package uploads year-over-year in 2022 - 1,493 this year - there were only eight such packages found in 2020.

Cybersecurity firm Phylum in November noted a campaign distributing the W4SP info-stealing malware through PyPI packages and last week issued a report of an additional 47 packages published on PyPI containing W4SP. In addition, PyPI in August warned about the first known phishing attack against developers using the index.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/12/21/pypi_malware_sentinelone/