Attacks leveraging the new malicious Python Package Index package dubbed "lr-utils-lib" have enabled the exfiltration of Google Cloud credentials from macOS systems, The Hacker News reports.
Such a package, which has been taken down after accumulating 59 downloads, initially verifies targeted systems to be macOS before checking the machines' Universally Unique Identifier and infiltrating files that have Google Cloud authentication details, which are then delivered to a remote server via HTTP, according to a Checkmarx report. Despite the identity of the actual threat actors remaining a mystery, researchers found that the package's owner matched a certain "Lucid Zenith" purporting to be the CEO of Apex Companies on LinkedIn, which may be indicative of social engineering used in the attack campaign. "While it is not clear whether this attack targeted individuals or enterprises, these kinds of attacks can significantly impact enterprises. While the initial compromise usually occurs on an individual developer's machine, the implications for enterprises can be substantial," said Checkmarx researcher Yehuda Gelb.