Environment variables are a critical component of most operating environments. They allow programs and applications to store configuration data they can access at runtime.
Environment variables, while generally uninteresting, can sometimes refer to critical pieces of information like access tokens (e.g., AWS API keys) and locations on disk (e.g.,
LocalAppData). Malicious software on a machine may access this information and attempt to enumerate the environment variables looking for this sensitive data to steal.
In April of 2022, researchers discovered a set of malicious packages on PyPi that would search through environment variables looking for the location of local browser storage folders. Once found, the aim of the malware was to steal AWS or other user credentials.
Updated 3 months ago