Categories: cyber securityCyber Security NewsPython

Python Developers Beware! Russian Hackers Targeting You With Malicious Packages

A malicious Python package named “crytic-compilers” was identified on PyPI.

Masquerading as a legitimate library for intelligent contract compilation, it mimicked the name and versioning scheme of the real “crytic-compile” tool.

The imposter package infiltrated popular development environments by appearing to offer desired functionality, as it harbored a hidden payload that stole cryptocurrency from infected systems.

Although the package garnered 436 downloads before its takedown, which highlights the vulnerability of relying solely on open-source components without proper vetting.

installing the real library (‘crytic-compile’) to avoid suspicion

A counterfeit Python library, “crytic-compilers”, is designed to exploit developers by mimicking the legitimate “crytic-compile” library, which uses similar names and aligns version numbers (0.3.8 to 0.3.11) with appearing as a newer version.

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis

Some versions even attempt to install the actual library to deflect suspicion.

The malicious intent is revealed in version 0.3.11, which targets Windows systems and executes a hidden program (s.exe).

The strategy leverages the popularity of “crytic-compile” (170,000 monthly downloads, 141 GitHub stars) to infiltrate unsuspecting projects in the cryptocurrency development community.

Lumma, a Russia-linked C2 trojan, targets Windows users by stealing crypto wallets and browser passwords. ]

The malware, disguised as an executable file (s.exe), uses anti-detection techniques to avoid being caught.

It connects to a list of domains (IOCs) with active “/api” endpoints, most likely Lumma C2 servers, registered on Namecheap and secured by Cloudflare, making takedown attempts more challenging.

According to SonaType, geo-blocking also prevents users from accessing these domains from restricted regions.

Lumma Stealer, a C-based Windows trojan targeting cryptocurrency wallets and browser extensions, has been distributed through various channels since at least 2022.

Primarily offered as Malware-as-a-Service on Russian dark web forums, Lumma has reappeared in trojanized apps, phishing emails, and pirated games with cheats.

Most recently, drive-by downloads on compromised websites disguised as fake browser updates have been used to deliver Lumma stealers.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.