On May 1, 2024, Sonatype’s automated malware detection system identified a PyPI package named “crytic-compilers,” which closely resembles a legitimate Python library “crytic-compile” widely used by cryptocurrency developers. The legitimate library is used for compiling smart contracts, which are digital protocols stored on blockchain networks. This counterfeit package, tracked as sonatype-2024-1561, had been downloaded 436 times before it was removed from PyPI.
The counterfeit package is particularly insidious because it aligns its version numbers with the legitimate library, which has over 170,000 downloads per month. When the real library’s latest version was 0.3.7, the fake “crytic-compilers” versions started from 0.3.7 up to 0.3.11, creating the illusion of a new component. Some versions of the counterfeit component (such as 0.3.9) even attempted to “install” the real library to avoid suspicion.
The situation changed with the 0.3.11 version of the malicious component, which checks if you are running Windows. If so, it executes a bundled executable named “s.exe.” This executable has been identified as malware by several antivirus engines. It employs anti-detection and stealth techniques to evade researchers and malware sandbox analysis, further delivering dubious executables and accessing Windows registry settings.
External security researcher Dhanesh Dodia pointed out that this naming strategy could easily confuse users, especially since the genuine “crytic-compile” package is highly popular, with 141 stars on GitHub and 465 repositories depending on it.
The malicious Windows executable “s.exe” connects to several domains and IP addresses associated with the Lumma stealer (LummaC2), a command-and-control (C2) trojan that steals browser passwords and cryptocurrency wallets. These domains include:
– acceptabledcooeprs[.]shop – 104[.]21.59.156
– boredimperissvieos[.]shop – 172[.]67.186.30
– holicisticscrarws[.]shop – 172[.]67.183.72
– miniaturefinerninewjs[.]shop – 172[.]67.173.139
– obsceneclassyjuwks[.]shop – 104[.]21.20.88
– plaintediousidowsko[.]shop – 104[.]21.53.146
– sweetsquarediaslw[.]shop – 172[.]67.203.170
– zippyfinickysofwps[.]shop – 172[.]67.148.231
These domains have active “/api” endpoints, commonly found on domains related to Lumma, and are protected by Cloudflare’s DDoS protection. Some IP addresses accessing these domains are also subject to geoblocking.
Written in C, the Lumma stealer has been spreading online since August 2022. It primarily targets cryptocurrency wallets and browser extensions, often offered as malware-as-a-service (MaaS) on Russian forums in the dark web. Recently, its distribution channels include trojanized pirated applications, phishing emails sent to YouTube content creators, and pirated “free” games with cheat functions. This week, threat actors also spread Lumma via driver downloads, posting fake browser updates on compromised or illegal websites.
Sonatype’s discovery of “crytic-compilers” indicates that experienced threat actors are now targeting Python developers, using open-source registries like PyPI to distribute their data-stealing tools. Users of Sonatype Repository Firewall are protected from such counterfeit components, as they are blocked from entering their build environments. Sonatype may expand its block list regularly based on similar packages’ appearance and investigation progress. If you are not yet using Sonatype for protection, please contact us, and we can demonstrate the actual effectiveness of Repository Firewall.