Malicious Actors Target Python Programmers using Counterfeit “Crytic-Compilers” Package on PyPI
A team of cybersecurity experts has unearthed a fake Python package that was added to the Python Package Index (PyPI) and was built to distribute an information-stealing tool known as Lumma (also called LummaC2).
The fraudulent package is crytic-compilers, a deceptive variant of an authentic library dubbed crytic-compile. The impostor package accrued 441 downloads before it was removed by PyPI administrators.
“What makes this bogus library intriguing is that, apart from adopting the name of the genuine Python tool, ‘crytic-compile,’ it matches its version numbers with the original library,” noted Ax Sharma, a security researcher at Sonatype, stated.
“While the legitimate library’s most recent version is 0.3.7, the fake ‘crytic-compilers’ version picks up from there and concludes at 0.3.11 — creating the illusion of a newer edition of the software component.”
In another effort to perpetuate the deception, certain versions of crytic-compilers (e.g., 0.3.9) were identified to install the authentic package by tweaking the setup.py script.
The most recent version, however, abandons any pretense of being a harmless library by checking if the system is running Windows and then executing a program (“s.exe“), which, in turn, is intended to download additional malicious software, including the Lumma Stealer.
Lumma, available to other criminal entities through a malware-as-a-service (MaaS) structure, has been spread through various channels such as trojan-infected programs, malicious advertising, and even counterfeit web browser updates, as detailed here.
The find “demonstrates advanced threat actors now setting their sights on Python developers and exploiting public repositories like PyPI to distribute their powerful data-stealing tools,” remarked Sharma.
Malicious Browser Update Campaigns Target Numerous WordPress Websites
This revelation coincides with Sucuri’s disclosure that more than 300 WordPress websites have been breached by deceptive Google Chrome update notifications that redirect visitors to fake MSIX installation files, leading to the execution of information-stealing software and remote access trojans.
The attack chain involves the threat actors gaining illicit access to the WordPress administrative panel and using a valid WordPress plugin called Hustle – Email Marketing, Lead Generation, Optins, Popups to insert the code for showcasing the fabricated browser update alerts.
“This campaign underscores a growing pattern where hackers exploit legitimate plugins for malicious motives,” stated Puja Srivastava, a security researcher, revealed. “By doing so, they can elude detection by file scanning tools, as many plugins store their data within the WordPress database.”
About Author
