Malicious PyPI Package Steals Google Cloud Credentials

Cybersecurity researchers have uncovered a malicious package on the Python Package Index (PyPI) that targets macOS systems to steal Google Cloud credentials.

The package, named “lr-utils-lib,” was uploaded in early June 2024 and downloaded 59 times before being removed. It targets a specific group of macOS machines using predefined hashes to steal Google Cloud authentication data.

Researcher reported that the malware first checks if it is installed on a macOS system. If so, it compares the system’s Universally Unique Identifier (UUID) against a hard-coded list of 64 hashes. If the machine matches, the malware attempts to access two files, application_default_credentials.json and credentials.db, located in the ~/.config/gcloud directory, which contain Google Cloud credentials. The stolen data is then sent to a remote server, “europe-west2-workload-422915[.]cloudfunctions[.]net.”

Researcher also discovered a fake LinkedIn profile under the name “Lucid Zenith,” linked to the package owner, who falsely claimed to be the CEO of Apex Companies. This suggests a social engineering component to the attack.

The attackers’ identities remain unknown, but this incident follows a similar supply chain attack discovered by cybersecurity firm Phylum two months earlier. In that attack, the malicious package “requests-darwin-lite” also activated after verifying the macOS host’s UUID.

These targeted campaigns indicate that threat actors have prior knowledge of the macOS systems they aim to infiltrate and meticulously distribute malicious packages to those specific machines. This strategy highlights the deceptive tactics used by attackers to trick developers into incorporating harmful packages into their applications.

Although it is unclear whether this attack targeted individuals or enterprises, the impact on enterprises could be significant. Researcher noted that while the initial compromise typically occurs on an individual developer’s machine, the potential consequences for enterprises are substantial.

Regularly updating and monitoring systems for suspicious activities and having a robust incident response plan in place can also protect against potential threats. Ensuring multi-factor authentication (MFA) for cloud accounts adds an extra layer of security.