PyPI Repositories Targeted – Hackers Deploy Malicious Packages to Steal AWS, CI/CD, and macOS Data

In a stark reminder of the vulnerabilities inherent in open-source ecosystems, new revelations confirm that attackers are targeting Python Package Index (PyPI) repositories with sophisticated, multi-stage malware.

Security firm JFrog recently identified and reported a malicious package, “chimera-sandbox-extensions,” uploaded by the user “chimerai.”

Unlike typical malware, this threat targets corporate users and cloud environments, exfiltrating sensitive data, including AWS tokens, CI/CD environment variables, and macOS-specific credentials, such as those associated with Jamf.

Open-source repositories, such as PyPI, are foundational to modern software development, enabling the rapid integration of community-built libraries.

However, their transparency and reach make them appealing targets for cybercriminals. The JFrog Security Research team regularly monitors these platforms with automated tools, and their latest findings underscore the increasing complexity of supply chain attacks.

The “chimera-sandbox-extensions” package, for instance, not only seeks to steal data but also demonstrates advanced obfuscation and payload delivery techniques.

Technical Breakdown: How the Attack Works

The malicious package employs a novel Domain Generation Algorithm (DGA) to establish contact with attacker-controlled infrastructure.

At runtime, the check_update() function is invoked, leveraging a custom CharStream class to generate subdomains pseudo-randomly.

Each session, the package attempts to connect to ten unique subdomains, but only one, such as twdtsgc8iuryd0iu.chimerasandbox[.]workers[.]dev/auth is valid and responsive.

The DGA operates by seeding a randomized state and shuffling arrays based on the seed, ensuring reproducible domain sequences.

Once a successful connection is made, the package retrieves an authentication token and, using it, requests and executes a secondary payload.

This stage-two payload is a Python-based infostealer, dynamically imported and invoked with the update() function.

Data collection is highly targeted and includes:

• Jamf receipts and macOS authentication tokens
• Pod sandbox environment details
• Git repository information
• CI/CD pipeline environment variables
• Zscaler host configuration
• AWS account details and tokens
• Public IP and additional host metadata

The stolen data is exfiltrated to the attacker’s server via a POST request, packaged in a JSON structure.

The attack is designed to facilitate multi-stage exploitation, with the potential for additional payloads to be delivered and executed on compromised systems.

Vigilance and Best Practices Are Key

The discovery and mitigation of the “chimera-sandbox-extensions” package underscore the crucial role of security teams in monitoring open-source repositories and responding promptly to threats.

JFrog’s rapid identification and reporting ensured the package was removed from PyPI before widespread damage occurred. Still, the episode serves as a potent reminder of the risks posed by supply chain attacks.

To defend against such threats, users should:

• Verify the authenticity of the package and the reliability of its source before installation.
• Monitor for and revoke any potentially compromised tokens.
• Keep security tools and platforms up to date to detect emerging threats.
• Review JFrog and other security advisories for the latest vulnerabilities.

JFrog Xray now includes detection for this malicious package, providing users with an additional layer of defense.

As hackers continue to refine their techniques, continuous vigilance and proactive security measures are essential to safeguarding the software supply chain.

For more information, visit the JFrog Security Research Center or consider a demo of advanced security solutions.