Researchers at JFrog have identified a malicious package in the Python Package Index (PyPI), named chimera-sandbox-extensions. This package has over 140 downloads and targets users of the Chimera Sandbox service, masquerading as a helpful module. Upon installation, it connects to an external domain to execute a next-stage payload, compromising developer-related data like credentials and configurations. Security leaders recommend that development teams use curated package registries, the implementation of policy-driven governance, and software composition analysis in CI/CD pipelines to combat these threats effectively and identify suspicious packages by their reputation.
This incident underscores the growing sophistication of supply chain attacks, where seemingly trustworthy packages can deliver dangerous malware.
Development teams should move towards using curated package registries that provide control over which packages are allowed to be used in projects.
Collection
[
|
...
]