Published on June 18th, 2024
Cybersecurity researchers have uncovered a dangerous Python package on the Python Package Index (PyPI) repository, intended to distribute an information stealer known as Lumma (or LummaC2).
Disguised as a legitimate library named crytic-compile, the malicious package, crytic-compilers, is a typosquatted version.
Despite its deceptive nature, it managed to amass 441 downloads before PyPI administrators removed it.
Not only did it mimic the name of the authentic Python utility, but it also synchronized its version numbers with the genuine library, creating the illusion of being an upgraded version.
Further Deception Uncovered
Some iterations of crytic-compilers, such as version 0.3.9, surreptitiously installed the legitimate package by altering the setup.py script.
However, the latest version abandoned all pretense of legitimacy, targeting Windows systems to execute an “s.exe” file, facilitating the deployment of Lumma Stealer and additional payloads.
Lumma Stealer: A Malware-As-A-Service (MaaS) Threat
Lumma Stealer, available through a malware-as-a-service model, has been disseminated via various means, including trojanized software, malvertising, and fake browser updates.
Its discovery underscores the alarming trend of seasoned threat actors targeting Python developers and exploiting open-source repositories like PyPI for their nefarious activities.
Typosquatting
Typosquatting involves registering domain names or software package names that are similar to well-known ones, but with slight variations. These variations can include:
Misspelled characters:
Replacing a letter with a similar-looking one (e.g., “googel.com” instead of “google.com”).
- Missing or extra characters: Omitting or adding a letter or symbol (e.g., “facebok.com” or “[invalid URL removed]” instead of “facebook.com” and “paypal.com”).
- Wrong domain extensions: Using a different top-level domain (TLD) like “.org” or “.info” instead of the intended “.com”.
Beyond Crytic-Compilers:
The “crytic-compilers” case is just one example of typosquatting on PyPI. Here are some other real-world scenarios:
- TensorFlow vs. TensorrFlow: Attackers might create a fake package named “TensorrFlow” to target developers looking for the popular machine learning library “TensorFlow.”
- Django vs. Jangoo: Similarly, “Jangoo” could trick developers seeking the Django web framework.
Requests vs. Reque$t: Subtly replacing a letter with a special character can be a sneaky tactic.
The Impact:
When developers unknowingly download these malicious packages, they could unleash a variety of threats, including:
- Information stealers: Like Lumma Stealer, these programs can steal login credentials, financial data, and other sensitive information.
- Cryptojacking: Malware can hijack a user’s computer to mine cryptocurrency for the attacker’s benefit.
- Ransomware: Malicious code can encrypt a user’s files, demanding a ransom payment for decryption.
Protecting Yourself:
To avoid falling victim to typosquatting, developers should be cautious when downloading packages:
- Double-check the package name: Ensure it’s spelled correctly and matches the official source.
- Verify the publisher: Look for reputable publishers and check user reviews.
- Use a secure connection: Download packages only from trusted sources over HTTPS.
- Stay updated: Keep your development environment and software up-to-date with the latest security patches.