Tuesday, November 12, 2024
HomeCyber AttackMalicious Python Package Attacking macOS Developers To Steal Google Cloud Logins

Malicious Python Package Attacking macOS Developers To Steal Google Cloud Logins

Published on

Malware protection

Hackers continuously exploit malicious Python packages to attack developer environments and inject harmful code that enables them to steal sensitive information, install malware, or create backdoors.

The method takes advantage of the widely-used repositories for packaging consequently creating a widespread impact with minimum effort from the attackers.

Cybersecurity researchers at CheckMarx recently identified that threat actors have been actively abusing a malicious package, “lr-utils-lib” to attack macOS developers to steal Google Cloud logins.

- Advertisement - SIEM as a Service

Malicious Python Package

It has been found that a malicious package called “lr-utils-lib” targets macOS systems to steal Google Cloud Platform credentials.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

This setup.py file of the package contains hidden code, which is activated during the installation, aimed specifically at macOS by checking system type and comparing the IOPlatformUUID of the device with a list of 64 pre-defined known hashes.

Once it finds a match, this malware tries to reach and take away sensitive data from ~/.config/gcloud/application_default_credentials.json files as well as credentials.db files.

All these will then be sent to a remote server (europe-west2-workload-422915.cloudfunctions.net).

Attack flow (Source – CheckMarx)

This sophisticated attack is linked to a fake LinkedIn profile under the name “Lucid Zenith” who claims to be the CEO of Apex Companies, LLC.

The incident revealed how advanced cyber threats are today in terms of combining malware distribution, social engineering tactics, and exploiting inconsistencies in AI search engines’ ability to verify information.

The “lr-utils-lib” malware attack was accompanied by a complex social engineering aspect of a fake LinkedIn account for “Lucid Zenith” who falsely claimed to be the CEO of Apex Companies, LLC.

Fake LinkedIn profile (Source – CheckMarx)

AI-driven search engines had insufficiently confirmed this trick, with some wrongly authenticating the false data.

This occurrence shows that threat actors can take advantage of flaws in information verification by AI systems and consequently it is important to check and double-check multiple sources when utilizing AI tools for research purposes.

The Python package “lr-utils-lib” reveals a targeted attack on macOS users who can steal Google Cloud credentials. For this reason, when working with third-party packages, one needs to be very careful about their security.

This event magnifies the broader cybersecurity problems that can arise from it such as having a fake LinkedIn profile and AI search engine verifiers that do not match with each other.

Software development and information-seeking techniques consequently require substantial scrutiny via rigorous vetting processes, multi-source verification, and critical thinking.

These types of attacks may begin by targeting individual developers, but they have far-reaching effects on enterprise security, which could cause data breaches and destroy reputations.

IOCs

  • europe-west2-workload-422915[.]cloudfunctions[.]net
  • lucid[.]zeniths[.]0j@icloud[.]com

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...