Cybersecurity researchers have identified a malicious package on the Python Package Index (PyPI) repository that specifically targets Apple macOS systems in an attempt to steal users’ Google Cloud credentials from a limited group of victims.
The package, known as “lr-utils-lib,” received a total of 59 downloads before being removed. It was added to the registry in early June 2024.
“The malware uses a predefined list of hashes to target certain macOS machines and tries to collect Google Cloud authentication information,” stated Checkmarx researcher Yehuda Gelb in a report released on Friday. “The stolen credentials are then sent to a remote server.”
An important feature of the package is that it first verifies if it is installed on a macOS system before comparing the system’s Universally Unique Identifier (UUID) with a hardcoded list of 64 hashes.
If the compromised system matches one of the specified hashes, the package attempts to access two files, application_default_credentials.json and credentials.db, located in the ~/.config/gcloud directory, which contain Google Cloud authentication data.
The collected information is then sent over HTTP to a remote server at “europe-west2-workload-422915[.]cloudfunctions[.]net.”
Checkmarx also discovered a fake LinkedIn profile under the name “Lucid Zenith,” matching the owner of the package and falsely claiming to be the CEO of Apex Companies, indicating a potential social engineering aspect to the attack.
The identity of the perpetrators behind the campaign is currently unknown. However, this incident follows a disclosure by cybersecurity firm Phylum over two months ago regarding another supply chain attack involving a Python package called “requests-darwin-lite,” which similarly carried out malicious actions after checking the macOS host’s UUID.
These attacks suggest that threat actors have prior knowledge of the macOS systems they are targeting and are taking extensive measures to ensure that the malicious packages are distributed only to those specific machines.
This highlights the tactics used by malicious actors to distribute deceptive packages, aiming to trick developers into incorporating them into their applications.
“While it is unclear whether this attack was aimed at individuals or enterprises, such attacks can have a significant impact on businesses,” Gelb remarked. “Although the initial compromise usually occurs on an individual developer’s machine, the consequences for enterprises can be significant.”
