The goal of malicious PYPI package is to steal AWS tokens by chimera users, CI/CD Secrets

A malicious Python package, which is a harmless add-on to a chimeric sandbox environment, is an integrated machine learning experiment and development tool that is helping threat actors steal sensitive company certificates.

According to new research results from the Software Supply Chain and DevOps Company Jfrog, the “Chimera-Sandbox-Extensions” recently uploaded in the popular PYPI repository packs a secret, multi-stage information drive.

“Detection of unwanted software packages on PYPI, such as the Chimera-Sandbox extension, highlights the significant and broad risks posed by software supply chain attacks,” said Eric Schwake, director of Salt Secusey Cybersecurity Starterge. “The main threat lies in its ability to collect data related to sensitive developers, including credentials, configuration files, and especially AWS tokens and CI/CD environment variables.”

Schwake added that this poses a direct risk to companies and cloud infrastructure, enabling attackers to access maliciously through damaged API credentials and potentially alter or steal large amounts of data.