Another day, another malicious package being discovered on the Python Package Index (PyPI) repository.
Ax Sharma, a cybersecurity researcher from Sonatype, found a typosquatted version of the legitimate library named ‘crytic-compile’.
‘Crytic-compile’ is a tool that simplifies the process of compiling smart contracts, written in different languages, and designed for use with security analysis tools. It was developed by Trail of Bits, and provides a unified interface to compile smart contracts, making it easier for developers and security researchers to work with different analysis tools without worrying about the specifics of each compilation process.
Fake it until you make it
The malicious version, on the other hand, is called ‘crytic-compilers’ and it is designed to deploy the Lumma infostealer. The threat actors went the extra mile to trick unsuspecting Python developers into downloading the wrong version, too. For example, the typosquatted variant has the same version number as the real library, and in some versions, it even installs the actual package.
Newer versions, however, dropped the act:
“The counterfeit library is interesting in that, in addition [to] being named after the legitimate Python utility, ‘crytic-compile,’ it aligns its version numbers with the real library,” Sharma said. “Whereas the real library’s latest version stops at 0.3.7, the counterfeit ‘crytic-compilers’ version picks up right here, and ends at 0.3.11 — giving off the impression that this is a newer version of the component.”
Lumma is a known infostealer, a piece of malware capable of grabbing passwords stored in popular browsers, cookies, credit card information, and data related to cryptocurrency wallets. Often referred to as LummaC2, the malware is offered as a service, for a subscription fee ranging between $250 and $1,000.
Since the attack relies on the recklessness of the victims, the best protection is to simply be extra careful when downloading packages from PyPI.
Via The Hacker News