Full Report
Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others. The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox,
Analysis Summary
# Tool/Technique: chimera-sandbox-extensions (PyPI Package)
## Overview
A malicious package discovered on the Python Package Index (PyPI) that masquerades as a helper module for the Grab company's Chimera Sandbox ML development service. Its primary goal is to harvest sensitive developer and infrastructure credentials from infected systems.
## Technical Details
- Type: Malware (Information Stealer via Malicious Package)
- Platform: Primarily targets systems where Python packages are installed; evidence suggests capability to target Apple macOS systems due to JAMF receipt harvesting.
- Capabilities: Information theft (credentials, config files, environment variables), multi-stage payload delivery, domain generation algorithm (DGA) for C2 communication.
- First Seen: Recent, disclosed in a report published "last week" relative to the article date.
## MITRE ATT&CK Mapping
Due to the multi-stage nature, several tactics are relevant:
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Indirectly, by polluting a trusted repository like PyPI)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Via subsequent execution stages)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (The payload retrieval process is described as complex/staged)
- TA0009 - Collection
- T1005 - Data from Local System
- T1518 - Software Discovery (Identifying JAMF receipts)
- TA0011 - Command and Control
- T1568 - Dynamic Resolution (Use of DGA)
## Functionality
### Core Capabilities
- **Masquerading:** Appears as a legitimate extension for Chimera Sandbox.
- **Information Harvesting (Stage 1):** Steals configuration data, environment variables (CI/CD tokens), AWS tokens, and Jamf receipts.
- **C2 Communication:** Communicates with a C2 domain generated via a Domain Generation Algorithm (DGA).
- **Multi-Stage Payload Delivery:** Downloads an authentication token via DGA, uses it to request a Python-based information stealer from the same C2 domain, and exfiltrates data via POST requests.
### Advanced Features
- **Targeted Data Collection:** Specifically targets artifacts related to corporate/cloud infrastructure (AWS, CI/CD, Jamf Pro records).
- **Adaptive Targeting:** The remote server assesses the collected information to decide if the machine is worthy of further exploitation.
## Indicators of Compromise
- File Hashes: (Not provided in the context)
- File Names: `chimera-sandbox-extensions` (Package name)
- Registry Keys: (Not provided in the context)
- Network Indicators:
- C2 Domain: Generated via DGA (Not explicitly listed/defanged)
- Behavioral Indicators:
- Initial installation leading to external C2 resolution using DGA.
- Attempting to read sensitive files like Jamf receipts and AWS credential files configured within environment variables.
- Subsequent network activity to retrieve an authentication token and then the main stealer module.
## Associated Threat Actors
The article does not explicitly name an actor responsible for this specific PyPI package but notes its targeted nature distinguishes it from generic malware.
## Detection Methods
- Signature-based detection: Detection rules can be developed based on the package name and initial file structure if made public.
- Behavioral detection: Monitoring processes for installation of newly published PyPI packages that immediately attempt external network connections using DGA patterns or accessing sensitive user/system configuration directories.
- YARA rules: (Not provided in the context)
## Mitigation Strategies
- **Vigilant Package Auditing:** Development teams must maintain vigilance when installing packages, even those appearing related to internal tools.
- **Dependency Scanning:** Utilize software composition analysis (SCA) tools to scan transitive dependencies for known malicious patterns before integration.
- **Least Privilege:** Running build environments and IDEs with minimum necessary privileges to limit the scope of credential theft.
## Related Tools/Techniques
This malware aligns with the threat trend highlighted by other malicious packages mentioned in the context:
- `eslint-config-airbnb-compat`, `ts-runtime-compat-check`, `solders`, `@mediawave/lib` (Malicious npm packages exhibiting multi-stage RCE or heavy obfuscation).
- **Slopsquatting:** A related supply chain threat where actors register packages based on AI-hallucinated, non-existent names.
***
# Tool/Technique: npm Malware Campaigns (Multiple Packages)
## Overview
A set of malware-laced packages discovered on the npm registry (`eslint-config-airbnb-compat`, `ts-runtime-compat-check`, `solders`, `@mediawave/lib`). These packages were designed to execute remote code and download additional payloads, exploiting transitive dependencies or post-install scripts.
## Technical Details
- Type: Malware (Malicious npm Packages, RCE/Dropper)
- Platform: Node.js/JavaScript environments (npm ecosystem).
- Capabilities: Remote Code Execution (RCE), dependency-chain obfuscation, payload download via HTTP request, Unicode-based obfuscation.
- First Seen: Recent, disclosed in parallel reports from SafeDep and Veracode.
## MITRE ATT&CK Mapping (Focusing on `solders` example)
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Via trusted registry pollution)
- TA0002 - Execution
- T1059.001 - Command and Scripting Interpreter: PowerShell (Used for second-stage download)
- T1037.001 - Boot or Logon Autostart Execution: Initial Script (Use of `package.json` post-install scripts)
- TA0003 - Persistence (Implied by configuration changes)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Extensive Unicode-based obfuscation in the JavaScript bundle)
## Functionality
### Core Capabilities
- **Automated Execution:** `solders` utilized a malicious `post-install` script in `package.json` to automatically execute code upon installation.
- **Transitive Dependency Hiding:** `eslint-config-airbnb-compat` hid malicious logic by loading RCE code via a dependency (`ts-runtime-compat-check`).
- **Obfuscation:** Heavy use of Unicode characters as variable names and dynamic code generation in `solders` to hide malicious JavaScript.
### Advanced Features
- **Multi-Stage Payload Retrieval Chain:**
1. Initial obfuscated JS executes.
2. Contacts external server (`proxy.eslint-proxy[.]site` or initial logic) to fetch Base64 payload.
3. For `solders`: Checks for Windows, executes PowerShell to download Stage 2 from `firewall[.]tel`.
4. Stage 2 configures Windows Defender exclusions.
5. Stage 3 (Batch script) executes a .NET DLL.
6. DLL retrieves data (last two pixels) from a PNG hosted on ImgBB (`i.ibb[.]co`).
## Indicators of Compromise
- File Hashes: (Not provided in the context)
- File Names: (Packages themselves are the IoCs)
- Registry Keys: Configuration of Windows Defender Antivirus exclusion list.
- Network Indicators:
- `proxy.eslint-proxy[.]site` (Defanged)
- `firewall[.]tel` (Defanged)
- `cdn.audiowave[.]org` (Defanged)
- `i.ibb[.]co` (ImgBB image hosting used for final stage data exfiltration/command relay)
- Behavioral Indicators:
- Automated execution of `post-install` scripts upon package installation.
- Use of PowerShell to download subsequent stages.
- Configuration changes to Windows Defender exclusion lists.
## Associated Threat Actors
Attribution is generally tied to financially or state-sponsored actors exploiting the software supply chain, though no specific group is named for these npm packages.
## Detection Methods
- Signature-based detection: Rules targeting the known malicious package names.
- Behavioral detection: Monitoring for npm package installations that trigger suspicious PowerShell executions or immediately reach out to external, high-risk domains using DGA or known C2 patterns.
- YARA rules: Could be used to detect the specific Unicode obfuscation patterns identified in the `solders` package.
## Mitigation Strategies
- **Dependency Validation:** Prioritize packages with high usage, good maintainer history, and recent activity.
- **Build Environment Isolation:** Execute package installation and build steps in isolated, non-persistent environments.
- **Reviewing Dependencies:** Scrutinize scripts defined in `package.json` (especially `postinstall`).
## Related Tools/Techniques
- `chimera-sandbox-extensions` (PyPI package utilizing DGA for similar supply chain targeting).
***
# Tool/Technique: Slopsquatting
## Overview
A novel threat vector where malicious actors register legitimate-sounding but non-existent package names on public registries (like PyPI or npm) that Large Language Models (LLMs) or AI coding assistants might "hallucinate" or suggest during coding sessions ("vibe coding").
## Technical Details
- Type: Technique (Supply Chain Attack Vector)
- Platform: Software development environments leveraging generative AI coding tools (e.g., GitHub Copilot, specific CLI tools).
- Capabilities: Pre-positioning malicious payloads under plausible, hallucinated names for future exploitation.
- First Seen: Observed recently, as detailed in reports from Trend Micro.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Preparation for repository pollution)
- TA0009 - Collection
- T1601 - Collection: Gathering System Software/Information (Targeting build processes fed by AI suggestions)
## Functionality
### Core Capabilities
- **Exploiting AI Hallucination:** Malicious actors leverage knowledge gaps or errors in LLMs to predict package names that developers might seek.
- **Pre-registration:** The actor registers the predicted phantom package name on a public registry before the developer's build process can fail or validate the dependency.
### Advanced Features
- **AI Workflow Integration:** Potential for deep integration if developers rely heavily on AI tools for dependency management without manual verification.
## Indicators of Compromise
- File Hashes: N/A (Relates to future package registration)
- File Names: Hallucinated package names (Example: `starlette-reverse-proxy`).
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Build failures or security alerts triggered when dependency resolution points to a newly registered, unknown package matching an AI suggestion.
## Associated Threat Actors
Financially motivated threat actors and state-sponsored groups evolving tactics to exploit systemic weaknesses in the software supply chain.
## Detection Methods
- **AI Tool Validation:** Using advanced reasoning-enhanced coding agents or tools with MCP-backed validation to reduce the rate of phantom dependency suggestions.
- **Dependency Vetting:** Automated tools flagging dependencies that match known hallucinated names or have suspicious metadata (low downloads, new registration).
## Mitigation Strategies
- **Manual Verification:** Developers must critically review all dependency suggestions made by AI tools before installation.
- **Tool Augmentation:** Using coding workflows augmented with live Mean Time to Package (MTP) validation protocols where possible.
## Related Tools/Techniques
- General software supply chain compromise methods utilized by the PyPI and npm package threats described above.