In December 2022, threat actors impersonated SentinelOne by uploading fake software development kits (SDKs) onto PyPI. The SDKs contain fully functional SentinelOne clients, but the packages also contained malicious backdoors that are only executed when called on programmatically, as opposed to during installation. The packages have since been taken down from PyPI.

References

• https://pypi.org/project/SentinelOne/
• https://www.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk