Python Developers were targeted by Hackers via Fake “Crytic-Compilers Package” on PyPl

Python Developers were targeted by Hackers

Python Developers were targeted by Hackers via Fake “Crytic-Compilers Package” on PyPl

A malicious Python package that was posted to the Python Package Index (PyPI) repository to deliver the information stealer Lumma (also known as LummaC2) has been found by cybersecurity researchers.

The package in question is called crytic-compilers, which is a misspelling of the actual crytic-compile library. The malicious package was downloaded 441 times before being removed by PyPI maintainers.

Ax Sharma, Security Researcher, Sonatype

“The counterfeit library is interesting in that, in addition [to] being named after the legitimate Python utility, ‘crytic-compile,’ it aligns its version numbers with the real library.”

“Whereas the real library’s latest version stops at 0.3.7, the counterfeit ‘crytic-compilers’ version picks up right here, and ends at 0.3.11 — giving off the impression that this is a newer version of the component.”

The discovery “demonstrates seasoned threat actors now targeting Python developers and abusing open-source registries like PyPI as a distribution channel for their potent data theft arsenal.”


In an additional effort to maintain the deception, it was discovered that some versions of crytic-compilers (such as 0.3.9) installed the package by altering the script.

But the most recent version eliminates all semblance of a benign library by first detecting whether Windows is the operating system and then launching an application (“s.exe”) that is intended to retrieve more payloads, which includes the Lumma Stealer.

Lumma is a malware-as-a-service (MaaS) information thief that is accessible to other criminal actors. It has been spread using a variety of techniques, including trojanized software, malvertising, and even phony browser upgrades.

Hundreds of WordPress websites are the target of fake browser update campaigns.

The development coincides with Sucuri’s disclosure that over 300 WordPress websites have been infiltrated by malicious Google Chrome update pop-ups that drive users to fraudulent MSIX installers, which in turn trigger the deployment of remote access trojans and information stealers.

In attack chains, the code that causes the phony browser update pop-ups to appear is uploaded by the threat actors after they have gained unauthorized access to the WordPress admin panel and installed the Hustle – Email Marketing, Lead Generation, Options, Popups WordPress plugin.

Puja Srivastava, Security Researcher

“This campaign underscores a growing trend among hackers to leverage legitimate plugins for malicious purposes. By doing so, they can evade detection by file scanners, as most plugins store their data within the WordPress database.”

one year cyber security diploma course

About The Author

Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for the News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors Business, Law, Food & Beverage, Entertainment, and many others. Koli established his center of the field in a very amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.


Commando Cat Cryptojacking Attacks Aiming Misconfigured Docker Instances as Prime Targets

Advanced Surveillance Skills Identified in the macOS Variant of LightSpy Spyware

ICICI Bank Account Drained by Scamsters: Cyber Victim’s Shocking Story

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?