A malicious Python package named “crytic-compilers” was identified on PyPI.
Masquerading as a legitimate library for intelligent contract compilation, it mimicked the name and versioning scheme of the real “crytic-compile” tool.
The imposter package infiltrated popular development environments by appearing to offer desired functionality, as it harbored a hidden payload that stole cryptocurrency from infected systems.
Although the package garnered 436 downloads before its takedown, which highlights the vulnerability of relying solely on open-source components without proper vetting.
A counterfeit Python library, “crytic-compilers”, is designed to exploit developers by mimicking the legitimate “crytic-compile” library, which uses similar names and aligns version numbers (0.3.8 to 0.3.11) with appearing as a newer version.
Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis
Some versions even attempt to install the actual library to deflect suspicion.
The malicious intent is revealed in version 0.3.11, which targets Windows systems and executes a hidden program (s.exe).
The strategy leverages the popularity of “crytic-compile” (170,000 monthly downloads, 141 GitHub stars) to infiltrate unsuspecting projects in the cryptocurrency development community.
Lumma, a Russia-linked C2 trojan, targets Windows users by stealing crypto wallets and browser passwords. ]
The malware, disguised as an executable file (s.exe), uses anti-detection techniques to avoid being caught.
It connects to a list of domains (IOCs) with active “/api” endpoints, most likely Lumma C2 servers, registered on Namecheap and secured by Cloudflare, making takedown attempts more challenging.
According to SonaType, geo-blocking also prevents users from accessing these domains from restricted regions.
Lumma Stealer, a C-based Windows trojan targeting cryptocurrency wallets and browser extensions, has been distributed through various channels since at least 2022.
Primarily offered as Malware-as-a-Service on Russian dark web forums, Lumma has reappeared in trojanized apps, phishing emails, and pirated games with cheats.
Most recently, drive-by downloads on compromised websites disguised as fake browser updates have been used to deliver Lumma stealers.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs:
Try Free Demo
The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…
Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…
A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…
A surge in phishing text messages claiming unpaid tolls has been linked to a massive…