How to protect yourself and your software from the tricks of cyber bandits?
A malicious package designed to distribute the information theft program Lumma (also known as LummaC2) was discovered in the Python Package Index (PyPI) repository. This is a package called "crytic-compilers", which is a fake of the legitimate "crytic-compile" library. The fake package was downloaded 441 times before it was removed.
Security researchers from the company Sonatype noticed that the fake library uses the same version number as the original one, with the exception of adding a few last digits.
So, while the latest version of the original library ends at 0.3.7, the fake version of crytic-compilers reaches 0.3.11. So, apparently, hackers wanted to encourage developers to install a "more recent" package. Of course, if they don't realize that the package is fake.
It is noteworthy that some versions of "crytic-compilers", including 0.3.9, did install legitimate content, but in version 0.3.11, defining the operating system as Windows, the package runs the executable file ("s.exe"), which in turn loads additional components, including the Lumma infostiler.
Lumma Stealer is available to many cybercriminals using the MaaS model and is distributed by various methods, including pirated software, fraudulent advertising, and fake browser updates.
This discovery shows that experienced attackers are increasingly targeting Python developers and abusing open source registries such as PyPI as a distribution channel for their powerful arsenal of data theft.
Developers are encouraged to carefully check the names and versions of the libraries they install, especially when it comes to open repositories such as PyPI. Even small variations in the names or version numbers may indicate that the package is fake.
A malicious package designed to distribute the information theft program Lumma (also known as LummaC2) was discovered in the Python Package Index (PyPI) repository. This is a package called "crytic-compilers", which is a fake of the legitimate "crytic-compile" library. The fake package was downloaded 441 times before it was removed.
Security researchers from the company Sonatype noticed that the fake library uses the same version number as the original one, with the exception of adding a few last digits.
So, while the latest version of the original library ends at 0.3.7, the fake version of crytic-compilers reaches 0.3.11. So, apparently, hackers wanted to encourage developers to install a "more recent" package. Of course, if they don't realize that the package is fake.
It is noteworthy that some versions of "crytic-compilers", including 0.3.9, did install legitimate content, but in version 0.3.11, defining the operating system as Windows, the package runs the executable file ("s.exe"), which in turn loads additional components, including the Lumma infostiler.
Lumma Stealer is available to many cybercriminals using the MaaS model and is distributed by various methods, including pirated software, fraudulent advertising, and fake browser updates.
This discovery shows that experienced attackers are increasingly targeting Python developers and abusing open source registries such as PyPI as a distribution channel for their powerful arsenal of data theft.
Developers are encouraged to carefully check the names and versions of the libraries they install, especially when it comes to open repositories such as PyPI. Even small variations in the names or version numbers may indicate that the package is fake.
