The chimera-sandbox-extensions package has been found to be a malicious Python package. It masquerades as a helper module for the Chimera Sandbox environment but was designed to steal sensitive information from targeted systems, particularly those in corporate and cloud environments. Chimera Sandbox is a scalable notebook service platform developed by Grab, designed to accelerate experimentation and development in machine learning (ML) and artificial intelligence (AI). It is part of Grab’s broader AI Platform, providing essential compute infrastructure and integrated ML pipeline components for data scientists, ML engineers, and analysts.
Discovery and Removal
• Discovered by the JFrog Security Research team, the package was uploaded by a user named chimerai and attracted over 140 downloads before being removed from PyPI.
• Upon detection, JFrog promptly alerted PyPI maintainers, who took swift action to remove the package and update detection signatures in security tools.
Technical Details
Multi-Stage Attack
• Initial Execution: When installed, the package immediately executed a function that initiated contact with external domains generated by a sophisticated domain generation algorithm (DGA).
• Domain Generation: The DGA created a predictable set of subdomains under chimerasandbox.workers.dev, with only one typically active to evade detection.
• Payload Retrieval: The package fetched an authentication token from the active domain, which was then used to download and execute a second-stage Python-based infostealer payload.
Data Exfiltration
The infostealer collected and exfiltrated a wide range of sensitive data, including:
• JAMF receipts (for managed Apple macOS systems)
• Pod sandbox environment authentication tokens and git information
• CI/CD environment variables
• Zscaler host configuration
• AWS account information and tokens
• Public IP address
• General platform, user, and host information
Collected data was sent via POST requests to the malicious domain, where the server could decide whether to deliver further payloads for additional exploitation.
