Hackers Hide Infostilers in Developer Repos

In the Python Package Index (PYPI) repository, a malicious package designed to spread the Lumma information abduction program (also known as Lummac2). This is a package with the name “crrytic-compilers“, which is a fake of the legitimate library “crytic-compile“. The false package was loaded 441 times before it was removed.

Safety researchers from Sonatype drew attention to the fact that a fake library uses the same version number as the original, with the exception of the addition of the last few digits.

So, while the latest version of the original library ends at 0.3.7, the fake version of Crytic-Compiles reaches 0.3.11. Thus, apparently, hackers wanted to encourage developers to install a “more fresh” package. Of course, if they do not understand that the package is fake.

It is noteworthy that some versions of Crytic-Compiles, including 0.3.9, really installed a legitimate package by modifying the Setup.PY script. However, in version 0.3.11, defining the operating system as Windows, the package launches an executable file (“S.Exe”), which in turn downloads additional components, including the Lumma infostiller.

Lumma Stealer is available to many cybercriminals according to the MAAS model and is distributed by various methods, including pirate software, fraudulent advertising, and false browser updates.

This discovery shows that experienced attackers are increasingly aiming at Python developers and abusing the register of open source codes, such as Pypi, as a channel for the distribution of their powerful arsenal for data theft.