As a cybersecurity observer, I get amazed (on a daily basis) by the amount of innovation that attackers put behind exploiting the newest attack surfaces. Take the software supply chain for example - there was a malicious "SentinelOne" SDK package uploaded to PyPi python opensource repository.
what
This package pretends to be a legitimate SDK but was actually uploaded to the OSS repo with the intent of stealing data from developers. It has already been downloaded 1000+ times.
(SentinelOne is one of the known names in the cybersecurity space - looks like these attackers are taking inspiration from the phishermen carrying out phishing attacks in the name of Bank of America :P )
how
Here is how this opensource software supply chain attack methodology works:
1) Malicious SDK package with a legit-sounding name gets uploaded to the PyPi open-source repo but on a random IP not belonging to the SentinelOne vendor company.
2) Package has a trojan hidden inside, which besides offering access to SentinelOne API, also secretly captures the data being exchanged by the systems using this malicious package.
3) The systems whose developers download and utilize this package get compromised and then attackers are able to steal any sensitive data exchanged by the compromised system not limited to:
a) K8s/AWS config info
b) host/gitconfig files and credentials within these files
c) Bash / SSH histories
This begs the question, as a security professional or DevOps professional dealing with everchanging attack surface dynamics, how do you plan to deal with your software/infrastructure security in the future?
Top comments (0)