A dangerous piece of malware has been discovered hidden inside a Python software package, raising serious concerns about the security of open-source tools often used by developers.
Security experts at JFrog recently found a harmful package uploaded to the Python Package Index (PyPI) – a popular online repository where developers share and download software components. This specific package, named chimera-sandbox-extensions, was designed to secretly collect sensitive information from developers, especially those working with cloud infrastructure.
The package was uploaded by a user going by the name chimerai and appears to target users of the Chimera sandbox— a platform used by developers for testing. Once installed, the package launches a chain of events that unfolds in multiple stages.
It starts with a function called check_update() which tries to contact a list of web domains generated using a special algorithm. Out of these, only one domain was found to be active at the time of analysis. This connection allows the malware to download a hidden tool that fetches an authentication token, which is then used to download a second, more harmful tool written in Python.
This second stage of the malware focuses on stealing valuable information. It attempts to gather data such as Git settings, CI/CD pipeline details, AWS access tokens, configuration files from tools like Zscaler and JAMF, and other system-level information. All of this stolen data is bundled into a structured file and sent back to a remote
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.