This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

Cloudways Copilot is here. Get Access to your Intelligent Hosting Assistant Today! Learn More

Fake “Crytic-Compilers” Target Python Developers on PyPI

Updated on June 6, 2024

2 Min Read


Cybersecurity researchers have discovered a harmful Python package on the Python Package Index (PyPI) repository, designed to deploy an information-stealing malware known as Lumma (also referred to as LummaC2).

via GIPHY

The malicious package, named crytic-compilers, is a typosquatted version of the legitimate library crytic-compile. It was downloaded 441 times before PyPI maintainers removed it.

Sonatype security researcher Ax Sharma noted the sophistication of the counterfeit package, highlighting that it not only mimicked the name of the legitimate utility but also matched its version numbers. “The real library’s latest version is 0.3.7, but the fake ‘crytic-compilers’ starts at 0.3.8 and ends at 0.3.11, creating the illusion of being a newer version,” Sharma explained.

In some versions, crytic-compilers even included the actual crytic-compile package by modifying the setup.py script. However, the latest version completely abandoned this facade. It checked if the operating system was Windows, and if so, launched an executable (“s.exe“) to download additional payloads, including the Lumma Stealer.

Lumma is an information stealer available through a malware-as-a-service (MaaS) model. It’s been distributed via various methods, such as trojanized software, malvertising, and fake browser updates.

“The discovery shows that experienced threat actors are now targeting Python developers and using open-source registries like PyPI to distribute their data theft tools,” Sharma said.

In a related development, Sucuri reported that over 300 WordPress sites have been compromised with fake Google Chrome update pop-ups. These pop-ups redirect visitors to malicious MSIX installers, which then deploy information stealers and remote access trojans.

The attack involves threat actors gaining unauthorized access to the WordPress admin interface and installing a legitimate plugin called Hustle – Email Marketing, Lead Generation, Optins, Popups. This plugin is then used to upload the code that displays the fake browser update pop-ups.

Security researcher Puja Srivastava noted, “This campaign highlights a growing trend among hackers to misuse legitimate plugins for malicious purposes. By doing so, they can bypass file scanners since most plugins store their data within the WordPress database.”

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today.

Our Clients Love us because we never compromise on these

Abdul Rehman

Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.

×

Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Want to Experience the Cloudways Platform in Its Full Glory?

Take a FREE guided tour of Cloudways and see for yourself how easily you can manage your server & apps on the leading cloud-hosting platform.

Start my tour