Security Intelligence
Loading table of contents...
Researchers discovered a malicious npm package disguised as a helper module for Chimera Sandbox, a service used by many developers in the development of machine learning solutions. The package, named chimera-sandbox-extensions, attracted 143 downloads.
It can harvest sensitive developer-related information, such as credentials, configuration data, and environmental variables. The malicious package appears to be designed mainly to target corporate and cloud infrastructure, going after sensitive data such as AWS tokens, CI/CD environment variables, and macOS configurations.
The Hacker News reported that the package was published to PyPI, an online repository for Python developers, as part of a red teaming exercise conducted by a cybersecurity vendor.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Analysis:
The targeted approach employed by this malware demonstrates a growing sophistication of supply chain attacks, where user trust is abused to compromise software integrity
Open-source software underpins many of today’s applications, so when even one malicious package slips into PyPI, it can quietly infect numerous applications in the supply chain.
Developers rely on a wide range of open-source packages, and should have processes in place to prevent similar threats, such as keeping dependencies up to date, using curated package registries, checking all third-party and open-source packages before integration, verifying package authenticity, and more.
