Attackers are leveraging the new malicious Python Package Index package, dubbed "lr-utils-lib", to exfiltrate Google Cloud credentials from macOS systems, The Hacker News reported.
Such a package, which has been taken down after accumulating 59 downloads, initially verifies targeted systems to be macOS before checking the machines' Universally Unique Identifier and infiltrating files that have Google Cloud authentication details, which are then delivered to a remote server via HTTP, according to a Checkmarx report.
While the identity of the actual threat actors remains a mystery, researchers found that the package's owner matched a certain "Lucid Zenith" purporting to be the CEO of Apex Companies on LinkedIn, which may be indicative of social engineering used in the attack campaign.
"While it is not clear whether this attack targeted individuals or enterprises, these kinds of attacks can significantly impact enterprises. While the initial compromise usually occurs on an individual developer's machine, the implications for enterprises can be substantial," said Checkmarx researcher Yehuda Gelb.