Cybersecurity experts discovered a malicious Python package posted to the Python Package Index (PyPI) repository intended to transmit an information stealer known as Lumma (aka LummaC2).

You might be interested in: Rockwell’s Call to Disconnect ICS from Internet

The package in question is crytic-compilers, a misspelled version of a valid library called crytic-compile. The malicious package was downloaded 441 times before being removed by PyPI maintainers.

“The counterfeit library is interesting because it not only mimics the name of the legitimate Python utility, crytic-compile, but also aligns its version numbers with the genuine library,” said Ax Sharma, a security researcher at Sonatype.

“While the legitimate library’s latest version stops at 0.3.7, the counterfeit crytic-compilers version starts right there and ends at 0.3.11—giving the impression that it is a newer version of the component.”

In an additional attempt to maintain the ruse, some versions of crytic-compilers (e.g., 0.3.9) were discovered to install the actual package via a modification to the setup.py file.

However, the most recent version abandons all pretense of being a benign library by assessing whether the operating system is Windows and, if so, launching an executable (“s.exe”), which is designed to retrieve further payloads, including the Lumma Stealer.

Lumma, an information stealer available to other criminal actors via a malware-as-a-service (MaaS) model, has been transmitted using a variety of methods, including trojanized software, malvertising, and even bogus browser upgrades.

“The finding demonstrates that seasoned threat actors are now targeting Python developers and abusing open-source registries like PyPI as a distribution channel for their potent data theft arsenal,” Sharma stated.

Fake browser update campaigns target hundreds of WordPress sites. Sucuri discovered that more than 300 WordPress sites have been infected with malicious Google Chrome update pop-ups that direct site users to fraudulent MSIX installers that install information stealers and remote access trojans.

Threat actors obtain illegal access to the WordPress admin interface before installing a legitimate WordPress plugin named Hustle – Email Marketing, Lead Generation, Optins, Popups, which uploads the code that displays the phony browser update pop-ups.

“This campaign demonstrates a growing trend among hackers to use legitimate plugins for malicious purposes,” security researcher Puja Srivastava stated. “By doing so, they can evade detection by file scanners, as most plugins store their data within the WordPress database.”