Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne, a major cybersecurity company, as part of a campaign dubbed SentinelSneak.
The package, named SentinelOne and now taken down, is said to have been published between December 8 and 11, 2022, with nearly two dozen versions pushed in quick succession over a period of two days.
It claims to offer an easier method to access the company’s APIs, but harbours a malicious backdoor that’s engineered to amass sensitive information from development systems, including access credentials, SSH keys, and configuration data.
What’s more, the threat actor has also been observed releasing two more packages with similar naming variations – SentinelOne-sdk and SentinelOneSDK – underscoring the continued threats lurking in open source repositories.
“The SentinelOne imposter package is just the latest threat to leverage the PyPI repository and underscores the growing threat to software supply chains, as malicious actors use strategies like ‘typosquatting’ to exploit developer confusion and push malicious code into development pipelines and legitimate applications,” ReversingLabs threat researcher Karlo Zanki said in a report shared with The Hacker News.
images from Hacker News