In the latest supply chain attack, an unknown threat actor has created a malicious Python package that appears to be a software development kit (SDK) for a well-known security client from SentinelOne.
According to an advisory from cybersecurity firm ReversingLabs issued on Monday, the package, dubbed SentinelSneak, appears to be a “fully functional SentinelOne client” and is currently under development with frequent updates appearing on the Python Package Index (PyPI), the main repository for Python code.
SentinelSneak does not attempt malicious actions when it is installed, but it waits for its function to be called by another program, researchers noted. As such, the attack highlights attackers’ focus on the software supply chain as a way to inject compromised code into targeted systems as a beachhead for further attacks. So far, those further attacks have likely not happened, researchers said.
“A cursory glance at the source of this package would have easily missed the malicious functionality injected in the otherwise legitimate SDK code,” says Tomislav Pericin, chief software architect at ReversingLabs.
In another typosquatting attack, a threat group uploaded at least 29 clones of popular software packages to PyPI.
“The SentinelOne imposter package is just the latest threat to leverage the PyPI repository and underscores the growing threat to software supply chains, as malicious actors use strategies like ‘typosquatting’ to exploit developer confusion and push malicious code into development pipelines and legitimate applications,” ReversingLabs stated in its advisory.
While code repositories of all kinds are under attack, overall, the npm ecosystem has suffered more malicious attention than the Python Package Index. In 2022, 1,493 malicious packages have been uploaded to PyPI, a drop of nearly 60% from the 3,685 malicious uploads detected by ReversingLabs in 2021, the company stated.
Fooling the Unwary
In the latest effort, the fake SentinelOne 1.2.1 package raises many red flags, the advisory stated. The suspicious behaviors include the execution of files, the creation of new processes, and communicating with external servers using their IP address rather than a domain name.
ReversingLabs stressed that the client has no connection to SentinelOne, besides using the security firm’s name. The PyPI package appears to be an SDK that helps simplify programmatic access to the client.
“It could be that malicious actors are attempting to draft on SentinelOne’s strong brand recognition and reputation, leading PyPI users to believe that they have deployed SentinelOne’s security solution, without taking the — necessary — step of becoming a SentinelOne customer,” ReversingLabs stated in its advisory. “This PyPI package is intended to serve as an SDK to abstract the access to SentinelOne’s APIs and make programmatic consumption of the APIs simpler.”
In a statement to Dark Reading, SentinelOne reiterated that the package is fake: “SentinelOne is not involved with the recent malicious Python package leveraging our name. Attackers will put any name on their campaigns that they think may help them deceive their intended targets, however this package is not affiliated with SentinelOne in any way. Our customers are secure, we have not seen any evidence of compromise due to this campaign, and PyPI has removed the package.”
Attackers See Developers as Another Vector
The attack also shows that developers are becoming an increasing target of attackers, who see them as a weak point in targeted companies’ defenses, as well as a potential way to infect those companies’ customers.
In September, for example, attackers used stolen credentials and a development Slack channel to compromise game developer Rockstar Games and gain access to sensitive data, including assets for the developer’s flagship Grand Theft Auto franchise.
For that reason, companies should help their developers understand which software components could pose a risk, Pericin says.
“Developers should put new project dependencies under a higher degree of scrutiny before opting to install them,” he says. “Given that the malware only activates when used, not when installed, a developer might have even built a new app on top of this malicious SDK without noticing anything odd.”
In the case of SentinelSneak, the threat actor behind the Trojan horse published five additional packages, using variations on the SentinelOne name. The variations appear to be tests and did not have a key file that encapsulated much of the malicious functionality.
ReversingLabs reported the incident to the PyPI security team on Dec. 15, the company said. SentinelOne was notified the next day.
“We’ve caught this malicious package very early,” the company said. “There’s no indication that anybody has yet been affected by this malware.”
Story was updated to include a statement from SentinelOne.