Security News > 2024 > July > Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials
Cybersecurity researchers have discovered a malicious package on the Python Package Index repository that targets Apple macOS systems with the goal of stealing users' Google Cloud credentials from a narrow pool of victims.
The package, named "Lr-utils-lib," attracted a total of 59 downloads before it was taken down.
"The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data," Checkmarx researcher Yehuda Gelb said in a Friday report.
An important aspect of the package is that it first checks if it has been installed on a macOS system, and only then proceeds to compare the system's Universally Unique Identifier against a hard-coded list of 64 hashes.
It comes more than two months after cybersecurity firm Phylum disclosed details of another supply chain attack involving a Python package called "Requests-darwin-lite" that was also found to unleash its malicious actions after checking the UUID of the macOS host.
These campaigns are a sign that threat actors have prior knowledge of the macOS systems they want to infiltrate and are going to great lengths to ensure that the malicious packages are distributed only to those particular machines.
News URL
https://thehackernews.com/2024/07/malicious-pypi-package-targets-macos-to.html
Related news
- PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing (source)
- Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform (source)
- Snowflake Warns: Targeted Credential Theft Campaign Hits Cloud Customers (source)
- Google fixes Chrome Password Manager bug that hides credentials (source)