Disguised PyPI Package Impersonates Chimera Module to Exfiltrate AWS, CI/CD, and macOS Information

Cybersecurity researchers have identified a malicious package within the Python Package Index (PyPI) repository, designed to extract sensitive information from developers, including credentials, configuration data, and environment variables. This package, named chimera-sandbox-extensions, has garnered 143 downloads and appears to specifically target users of the Chimera Sandbox service, recently launched by Grab, a technology firm based in Singapore, for experimentation and development in machine learning solutions.

Disguised as a helper module for Chimera Sandbox, the package aims to pilfer sensitive credentials and data, such as Jamf configuration, CI/CD environment variables, AWS tokens, and more, as reported by Guy Korolevski, a security researcher at JFrog. When installed, it attempts to establish a connection to an external domain, generated via a domain generation algorithm (DGA), to download and execute a payload.

Upon connecting, the malware retrieves an authentication token from the domain, which it subsequently uses to request the Python-based information stealer. This malicious software is capable of extracting a wide array of data from compromised systems, including:

• JAMF receipts, records of software packages installed by Jamf Pro on managed machines
• Pod sandbox environment authentication tokens and git information
• CI/CD information from environment variables
• Zscaler host configuration
• Amazon Web Services account information and tokens
• Public IP address
• General platform, user, and host information

The data harvested indicates a focus on corporate and cloud infrastructure, with the capability to target Apple macOS systems by extracting JAMF receipts. Information collected is sent back to the initiating domain via a POST request, allowing the server to evaluate the machine’s potential for further exploitation. JFrog noted they could not acquire the payload during their analysis phase.

Jonathan Sar Shalom, the director of threat research at JFrog Security Research team, remarked on the sophistication of this malware, emphasizing its targeted and intricate multi-stage payload as indicative of a significant evolution within malicious packages compared to generic open-source malware threats previously encountered.

This disclosure aligns with investigations from SafeDep and Veracode, which detailed multiple malware-infused npm packages aimed at executing remote code and downloading additional payloads. These npm packages include:

• eslint-config-airbnb-compat (676 Downloads)
• ts-runtime-compat-check (1,588 Downloads)
• solders (983 Downloads)
• @mediawave/lib (386 Downloads)

All identified npm packages have subsequently been removed, but not before gaining substantial interaction from developers. SafeDep’s analysis of eslint-config-airbnb-compat highlighted that it relied on ts-runtime-compat-check, which fetches and executes a Base64-encoded string from an external server. The exact nature of this payload remains undetermined.

In the case of solders, the analysis revealed the inclusion of a post-install script within its package.json, triggering the execution of malicious code automatically upon installation. Furthermore, Veracode’s Threat Research team articulated that this code, upon inspection, revealed obfuscation techniques that utilize Unicode characters as variable names, demonstrating a complex chain of dynamic code generation.

This obfuscated script checks if the compromised machine is operating on Windows and, if affirmative, executes a PowerShell command to gather a subsequent payload from a remote server. This secondary PowerShell script, also concealed, is constructed to receive a Windows batch script from another domain and configure the Windows Defender Antivirus exclusion list to evade detection. The batch script facilitates the execution of a .NET DLL that contacts a PNG image hosted online.

The DLL is capable of creating task scheduler entries and features functionality to bypass user account control (UAC) utilizing both FodHelper.exe and programmatic identifiers to circumvent security measures while avoiding user alerts.

The resulting DLL is identified as the Pulsar RAT, a “free, open-source Remote Administration Tool for Windows” and a variant of the Quasar RAT. The intricate delivery method involving multiple layers of obfuscation implies determined malicious intent, positioning the attacker as highly sophisticated.

Emerging Threats in Open-Source Supply Chains

The recent findings coincide with a report from Socket, which identified a range of threats in the cryptocurrency and blockchain development ecosystem, including credential stealers, cryptocurrency drainers, cryptojackers, and clippers. Notable examples include:

• express-dompurify and pumptoolforvolumeandcomment, capable of harvesting browser credentials and cryptocurrency wallet keys
• bs58js, which drains victim wallets using multi-hop transfers
• lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which function as clippers to monitor clipboard contents for cryptocurrency wallet strings

As Web3 development integrates further into mainstream software engineering, the attack surface for blockchain-focused projects enlarges in complexity and scale. Financially motivated threat actors and state-sponsored groups evolve their tactics to exploit systemic weaknesses within the software supply chain.

AI and Slopsquatting Risks

The rise of AI-assisted coding has introduced a new threat of slopsquatting, wherein large language models erroneously generate plausible but non-existent package names that can be exploited for supply chain attacks. A report by Trend Micro discussed an advanced agent’s attempts to construct a non-existent Python package, which, if successfully uploaded by a malicious actor, could pose significant security risks.

Furthermore, advanced coding agents and workflows can help reduce the risk associated with slopsquatting, yet they do not eliminate it entirely. These mechanisms may inadvertently lead to the installation of unverified packages, thereby allowing malicious actors to pre-register hallucinated package names on public registries, increasing susceptibility to such threats.

As threats to software supply chains become more complex and sophisticated, development teams must remain proactive, ensuring software integrity through vigilant security measures and continuous updates.