Cybersecurity researchers have discovered a malicious Python package uploaded to the Python Package Index (PyPI) repository that’s designed to deliver an information stealer called Lumma (aka LummaC2).
The package in question is crytic-compilers, a typosquatted version of a legitimate library named crytic-compile. The rogue package was downloaded 441 times before it was taken down by PyPI maintainers.
“The counterfeit library is interesting in that, in addition [to] being named after the legitimate Python utility, ‘crytic-compile,’ it aligns its version numbers with the real library,” Sonatype security researcher Ax Sharma said.
“Whereas the real library’s latest version stops at 0.3.7, the counterfeit ‘crytic-compilers’ version picks up right here, and ends at 0.3.11 — giving off the impression that this is a newer version of the component.”
In a further attempt to keep up the ruse, some versions of crytic-compilers (e.g., 0.3.9) were found to install the actual package by means of a modification to the setup.py script.
The latest version, however, drops all pretense of a benign library by determining if the operating system is Windows, and if so, launches an executable (“s.exe”), which, in turn, is designed to fetch additional payloads, including the Lumma Stealer.
An information stealer available to other criminal actors under a malware-as-a-service (MaaS) model, Lumma has been distributed through diverse methods such as trojanized software, malvertising, and even fake browser updates.
The discovery “demonstrates seasoned threat actors now targeting Python developers and abusing open-source registries like PyPI as a distribution channel for their potent data theft arsenal,” Sharma said.
Fake Browser Update Campaigns Target Hundreds of WordPress Sites
The development comes as Sucuri revealed that more than 300 WordPress sites have been compromised with malicious Google Chrome update pop-ups that redirect site visitors to bogus MSIX installers that lead to the deployment of information stealers and remote access trojans.
Attack chains involve the threat actors gaining unauthorized access to the WordPress admin interface and installing a legitimate WordPress plugin called Hustle – Email Marketing, Lead Generation, Optins, Popups to upload the code responsible for displaying the fake browser update pop-ups.
“This campaign underscores a growing trend among hackers to leverage legitimate plugins for malicious purposes,” security researcher Puja Srivastava said. “By doing so, they can evade detection by file scanners, as most plugins store their data within the WordPress database.”