Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that targets Apple macOS systems intending to steal users’ Google Cloud credentials from a narrow pool of victims. The package, named “lr-utils-lib,” attracted 59 downloads before it was taken down. It was uploaded to the registry in early June 2024.
Checkmarx researcher Yehuda Gelb said the malware targets unique macOS machines using predefined hashes and attempts to harvest Google Cloud authentication data sent to a remote server.
An important aspect of the package is that it first checks if it has been installed on a macOS system. It only then proceeds to compare the system’s Universally Unique Identifier (UUID) against a hard-coded list of 64 hashes. If matched, it attempts to access two files, namely application_default_credentials.json and credentials.db, located in the ~/.config/gcloud directory, contains Google Cloud authentication data.
Researchers also found a fake LinkedIn profile with the name “Lucid Zenith” that matched the package’s owner and falsely claimed to be the CEO of Apex Companies, indicating a possible social engineering element to the attack.
While the attackers remain unidentified, this incident follows a similar campaign reported by Phylum, who gave details of another supply chain attack involving a Python package called “requests-darwin-lite” that was also found to unleash its malicious actions after checking the UUID of the macOS host.
These attacks exhibit threat actors’ sophisticated methods, focussed on predetermined structures and the usage of misleading programs to infiltrate developer workflows. Such methods pose huge risks to people and enterprises, as compromised developer machines can cause broader organizational impacts.
