Hackers Target Python Developers with Fake "Crytic-Compilers" Package on PyPI

06.06.2024

Cybersecurity researchers have uncovered a malicious Python package uploaded to the Python Package Index (PyPI) repository, designed to deploy an information stealer called Lumma (also known as LummaC2).

The package in question, named crytic-compilers, is a typosquatted version of the legitimate library crytic-compile. This rogue package was downloaded 441 times before being removed by PyPI maintainers.

“The counterfeit library is particularly noteworthy because, in addition to being named similarly to the legitimate Python utility ‘crytic-compile,’ it also aligns its version numbers with the real library,” said Sonatype security researcher Ax Sharma.

“While the real library’s latest version stops at 0.3.7, the fake ‘crytic-compilers’ version starts from there and ends at 0.3.11, creating the impression that this is a newer version of the component.”

To further the deception, some versions of crytic-compilers (e.g., 0.3.9) were found to install the actual package via a modification to the setup.py script.

However, the latest version drops any pretense of being a benign library by checking if the operating system is Windows and, if so, launches an executable (“s.exe”) designed to fetch additional payloads, including the Lumma Stealer.

Lumma is an information stealer available under a malware-as-a-service (MaaS) model and has been distributed through various methods such as trojanized software, malvertising, and fake browser updates.

This discovery “shows seasoned threat actors now targeting Python developers and exploiting open-source registries like PyPI as a distribution channel for their potent data theft tools,” Sharma noted.

Fake Browser Update Campaigns Target Hundreds of WordPress Sites In related news, Sucuri has revealed that over 300 WordPress sites have been compromised with malicious Google Chrome update pop-ups, redirecting visitors to bogus MSIX installers that deploy information stealers and remote access trojans.

These attack chains involve threat actors gaining unauthorized access to the WordPress admin interface and using a legitimate WordPress plugin called Hustle – Email Marketing, Lead Generation, Optins, Popups to upload the code responsible for displaying the fake browser update pop-ups.

“This campaign highlights a growing trend among hackers to exploit legitimate plugins for malicious purposes,” said security researcher Puja Srivastava. “By doing this, they can evade detection by file scanners, as most plugins store their data within the WordPress database.”