Malicious PyPI package disguised as SentinelOne SDK to deliver info-stealing malware

December 20, 2022

An unknown threat actor created a malicious Python package on PyPI that appears to be a software development kit (SDK) for a well-known SentinelOne security client but steals data from developers in the latest supply chain attack.

The Python package was initially uploaded on December 11 and received approximately 20 updates over the next two days. The module has nothing to do with the legitimate threat detection firm, but it takes advantage of its brand reputation to attract unsuspecting victims.

The package contains backdoor code meant for data theft from development systems, including credentials, configuration data, and SSH keys. It appears to be a fully-functional SentinelOne client – the malicious SDK appears to be built on top of legitimate SentinelOne code. The package is part of a malicious campaign dubbed “SentinelSneak” by ReversingLabs.

The phoney ‘SentinelOne’ package includes “api.py” files containing malicious code that steals and uploads data to an IP address (54.254.189.27) that does not belong to SentinelOne’s infrastructure.

Five additional malicious packages with similar names were published by threat actors; these modules did not contain api.py files with malicious functionality, implying they were used for testing purposes. The malicious versions of the package had been downloaded over 1,000 times on PyPI, according to the experts.

The sources for this piece include an article in BleepingComputer.

Top Stories

Related Articles

June 9, 2026 Hackers exploited Meta’s AI-powered support chatbot to gain control of Instagram accounts, including several high-profile profiles. Meta more...

June 5, 2026 Security researchers have disclosed a new denial-of-service attack called HTTP/2 Bomb that can overwhelm major web servers more...

May 20, 2026 The Cybersecurity and Infrastructure Security Agency, the arm of the U.S. government tasked with protecting critical infrastructure more...

May 11, 2026 Instructure has restored access to its Canvas learning platform after a cyberattack disrupted service for universities and more...

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn