Malicious PyPI Package Aims at Compromising Developer Credentials

JFrog researchers have identified a multi-stage malware embedded in a Python package specifically designed to steal sensitive information from cloud infrastructures.

The malicious package, named chimera-sandbox-extensions, was disclosed by the JFrog Security Research team through their blog. This package is found on the Python Package Index (PyPI) and targets developers leveraging the Chimera sandbox platform, focusing on extracting credentials, configuration files, API tokens, and other critical data from corporate environments.

The package was uploaded by a user utilizing the handle ‘chimerai.’ Upon installation, it executes a function called check_update(), which connects to domains generated by a domain generation algorithm. Only one of these domains, twdtsgc8iuryd0iu.chimerasandbox.workers.dev/auth, is presently operational. Once connected, the malware initiates a first-stage payload that retrieves an authentication token, which is then used to download a second payload—a Python-based infostealer.

This second-stage component aims at high-value data, encompassing JAMF receipts, Git configurations, CI/CD pipeline variables, Zscaler configurations, AWS tokens, and system metadata. Information captured is formatted into a JSON object and sent back to the command-and-control server via a POST request. While JFrog’s analysis did not disclose a third payload, the malware’s architecture suggests that one could potentially be deployed.

JFrog has notified PyPI maintainers, who have since removed the malicious package from the platform. The sophistication and targeted nature of this malware differentiate it from typical infostealers, posing a significant threat to organizations that operate within corporate and cloud development environments.

This incident serves as a stark reminder of the continuous and evolving risks associated with the open-source software supply chain. To counteract such sophisticated threats, development and security teams must implement multi-layered defensive strategies that secure critical infrastructure against similar breaches.