Python Developers Beware! Russian Hackers Targeting You With Malicious Packages

A malicious Python package named “crytic-compilers” was identified on PyPI.

Masquerading as a legitimate library for intelligent contract compilation, it mimicked the name and versioning scheme of the real “crytic-compile” tool. 

The imposter package infiltrated popular development environments by appearing to offer desired functionality, as it harbored a hidden payload that stole cryptocurrency from infected systems. 

Although the package garnered 436 downloads before its takedown, which highlights the vulnerability of relying solely on open-source components without proper vetting. 

A counterfeit Python library, “crytic-compilers”, is designed to exploit developers by mimicking the legitimate “crytic-compile” library, which uses similar names and aligns version numbers (0.3.8 to 0.3.11) with appearing as a newer version. 

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis

Some versions even attempt to install the actual library to deflect suspicion.

The malicious intent is revealed in version 0.3.11, which targets Windows systems and executes a hidden program (s.exe). 

The strategy leverages the popularity of “crytic-compile” (170,000 monthly downloads, 141 GitHub stars) to infiltrate unsuspecting projects in the cryptocurrency development community. 

Lumma, a Russia-linked C2 trojan, targets Windows users by stealing crypto wallets and browser passwords. ]

The malware, disguised as an executable file (s.exe), uses anti-detection techniques to avoid being caught. 

It connects to a list of domains (IOCs) with active “/api” endpoints, most likely Lumma C2 servers, registered on Namecheap and secured by Cloudflare, making takedown attempts more challenging. 

According to SonaType, geo-blocking also prevents users from accessing these domains from restricted regions.   

Lumma Stealer, a C-based Windows trojan targeting cryptocurrency wallets and browser extensions, has been distributed through various channels since at least 2022. 

Primarily offered as Malware-as-a-Service on Russian dark web forums, Lumma has reappeared in trojanized apps, phishing emails, and pirated games with cheats. 

Most recently, drive-by downloads on compromised websites disguised as fake browser updates have been used to deliver Lumma stealers. 

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo