Threat actors have released a trojanised python package pretending to be the legitimate SDK for the trusted cybersecurity firm SentinelOne. The malware offers the expected functionality, allowing easy access to the SentinelOne API. However it has been trojanised to steal sensitive data from compromised developer accounts. Some of that stolen data includes bash and zsh histories, SSH keys, .gitconfig files, hosts files, AWS configuration info and more. The targeted data commonly contains auth tokens, secrets and API keys and it is believed that the threat actor intentionally targets developer environments for further access to their cloud services and servers. This is another reason why we need to verify the packages that we download from the internet before using them.
This segment was created for the It’s 5:05 podcast