A malicious package detected recently on the PyPI (Python Package Index) platform, which is frequently used by developers in the Python ecosystem, has attracted attention. This malicious mechanism, published under the name “chimera-sandbox-extensions”; Although it may seem like a legitimate module at first glance, it contains a complex information theft attack that steals sensitive data from the victim’s system in the background.

macOS owners’ data is at risk

According to the report shared by JFrog security researcher Guy Korolevski, the package has been downloaded 143 times to date. The attackers introduced the package as an extension of the “Chimera Sandbox” service, which was launched by Singapore-based technology company Grab last year.

This service from Grab offers an open-source environment for developing and testing machine learning solutions. The malware targets developers who use exactly this service. After the package is loaded into the system, it tries to connect to a random domain name generated by a method called domain generation algorithm (DGA).

It receives a token for authentication through this connection and then a second-stage payload is downloaded from the same domain name. This second stage involves a Python-based information stealer software. The information collected by the software is also quite comprehensive.

The findings reveal that this software is a highly targeted attack tool and stands out from traditional threats in the open source world. It was emphasized that this system is much more sophisticated than previous threats detected in the open source environment.