A dangerous piece of malware has been discovered hidden inside a Python software package, raising serious concerns about the security of open-source tools often used by developers.
Security experts at JFrog recently found a harmful package uploaded to the Python Package Index (PyPI) – a popular online repository where developers share and download software components. This specific package, named chimera-sandbox-extensions, was designed to secretly collect sensitive information from developers, especially those working with cloud infrastructure.
The package was uploaded by a user going by the name chimerai and appears to target users of the Chimera sandbox— a platform used by developers for testing. Once installed, the package launches a chain of events that unfolds in multiple stages.
It starts with a function called check_update() which tries to contact a list of web domains generated using a special algorithm. Out of these, only one domain was found to be active at the time of analysis. This connection allows the malware to download a hidden tool that fetches an authentication token, which is then used to download a second, more harmful tool written in Python.
This second stage of the malware focuses on stealing valuable information. It attempts to gather data such as Git settings, CI/CD pipeline details, AWS access tokens, configuration files from tools like Zscaler and JAMF, and other system-level information. All of this stolen data is bundled into a structured file and sent back to a remote server controlled by the attackers.
According to JFrog’s research, the malware was likely designed to go even further, possibly launching a third phase of attack. However, researchers did not find evidence of this additional step in the version they analyzed.
After JFrog alerted the maintainers of PyPI, the malicious package was removed from the platform. However, the incident serves as a reminder of the growing complexity and danger of software supply chain attacks. Unlike basic infostealers, this malware showed signs of being deliberately crafted to infiltrate professional development environments.
Cybersecurity experts are urging development and IT security teams to stay alert. They recommend using multiple layers of protection, regularly reviewing third-party packages, and staying updated on new threats to avoid falling victim to such sophisticated attacks.
As open-source tools continue to be essential in software development, such incidents highlight the need for stronger checks and awareness across the development community.
