A malicious Python package named “crytic-compilers” was identified on PyPI.
Masquerading as a legitimate library for intelligent contract compilation, it mimicked the name and versioning scheme of the real “crytic-compile” tool.
The imposter package infiltrated popular development environments by appearing to offer desired functionality, as it harbored a hidden payload that stole cryptocurrency from infected systems.
Although the package garnered 436 downloads before its takedown, which highlights the vulnerability of relying solely on open-source components without proper vetting.
A counterfeit Python library, “crytic-compilers”, is designed to exploit developers by mimicking the legitimate “crytic-compile” library, which uses similar names and aligns version numbers (0.3.8 to 0.3.11) with appearing as a newer version.
Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis
Some versions even attempt to install the actual library to deflect suspicion.
The malicious intent is revealed in version 0.3.11, which targets Windows systems and executes a hidden program (s.exe).
The strategy leverages the popularity of “crytic-compile” (170,000 monthly downloads, 141 GitHub stars) to infiltrate unsuspecting projects in the cryptocurrency development community.
Lumma, a Russia-linked C2 trojan, targets Windows users by stealing crypto wallets and browser passwords. ]
The malware, disguised as an executable file (s.exe), uses anti-detection techniques to avoid being caught.
It connects to a list of domains (IOCs) with active “/api” endpoints, most likely Lumma C2 servers, registered on Namecheap and secured by Cloudflare, making takedown attempts more challenging.
According to SonaType, geo-blocking also prevents users from accessing these domains from restricted regions.
Lumma Stealer, a C-based Windows trojan targeting cryptocurrency wallets and browser extensions, has been distributed through various channels since at least 2022.
Primarily offered as Malware-as-a-Service on Russian dark web forums, Lumma has reappeared in trojanized apps, phishing emails, and pirated games with cheats.
Most recently, drive-by downloads on compromised websites disguised as fake browser updates have been used to deliver Lumma stealers.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo