In a perturbing development within the Python ecosystem, cybersecurity sleuths have uncovered a nefarious Python package clandestinely infiltrating the Python Package Index (PyPI) repository. This malevolent package, dubbed “crytic-compilers,” masquerades as a legitimate library and acts as a conduit for disseminating an information-stealing malware known as Lumma (or LummaC2).
The treacherous package, “crytic-compilers,” represents a sophisticated instance of typosquatting, a method whereby malicious actors craftily name a package to resemble a reputable one—in this case, “crytic-compile.” Prior to its removal by PyPI custodians, this impostor package managed to ensnare 441 unsuspecting downloads.
Ax Sharma, a security researcher from Sonatype, elucidated, “The fraudulent library is intriguing not merely because it shares nomenclature with the genuine Python utility ‘crytic-compile,’ but also because it synchronizes its versioning scheme with the authentic library.” He noted, “While the legitimate library’s latest release culminates at version 0.3.7, the spurious ‘crytic-compilers’ extends from here, culminating at version 0.3.11—perpetuating the illusion of being a more recent iteration.”
In a bid to perpetuate this deception, certain iterations of “crytic-compilers” (such as version 0.3.9) were engineered to deploy the authentic package via alterations to the setup.py script. However, the latest iteration abandons any façade of benignity by detecting if the operating system is Windows and subsequently deploying an executable (“s.exe”). This executable is tasked with retrieving additional malicious payloads, including the Lumma Stealer.
Lumma, a formidable information-stealing tool available through a malware-as-a-service (MaaS) model, has been disseminated through an array of vectors, including trojanized applications, malvertising, and deceptive browser update alerts.
Sharma emphasized that this discovery “illustrates a sophisticated stratagem by adept threat actors targeting Python developers and exploiting open-source repositories like PyPI as vectors for their potent data exfiltration arsenal.”
Fake Browser Update Campaigns Compromise Numerous WordPress Sites
In a concurrent alarming trend, Sucuri has exposed that over 300 WordPress sites have fallen prey to a campaign involving counterfeit Google Chrome update prompts. These fraudulent prompts redirect visitors to deceptive MSIX installers, which subsequently deploy information-stealing malware and remote access trojans.
The modus operandi entails the perpetrators gaining unauthorized access to the WordPress administrative interface and utilizing a legitimate WordPress plugin named Hustle – Email Marketing, Lead Generation, Optins, Popups to embed the malicious code responsible for presenting the spurious browser update notifications.
Puja Srivastava, a security researcher, commented on this tactic, noting, “This campaign highlights a burgeoning tendency among cyber adversaries to repurpose legitimate plugins for malicious ends. By leveraging such plugins, they can circumvent detection by file scanners, as these plugins often store their payloads within the WordPress database.”
This dual pronged assault on both Python developers via PyPI and WordPress sites through fake update campaigns underscores an alarming trend in the cyber threat landscape, where even trusted platforms are repurposed as vectors for sophisticated malicious activities.