Trojan Embedded in crytic-compilers Python Package Targets Popular Blockchain Utility

Summary:
The Socket Research Team has uncovered a malicious Python package named ‘crytic-compilers’ that is a result of a typosquatting attack. This package masquerades as a legitimate tool for smart contract compilation but contains a trojan executable that targets Windows systems. The incident highlights the risks associated with open-source package registries and the need for vigilant monitoring.
#Typosquatting #PythonSecurity #MaliciousPackages

Keypoints:

Malicious behavior identified in the Python package ‘crytic-compilers’ on PyPI.

The package is a typosquatting variant of the legitimate ‘crytic-compile’ used for smart contract compilation.

It has been downloaded approximately 6,000 times daily, indicating its popularity in the crypto development community.

The malicious package executes a trojan named ‘s.exe’ on Windows systems.

465 repositories depend on ‘crytic-compile’, showcasing its significance.

The malicious script conditionally executes the trojan based on the operating system.

The trojan ‘s.exe’ has been flagged by multiple antivirus engines on VirusTotal.

Continuous monitoring of packages is essential to protect the software supply chain.

MITRE Techniques:

Execution (T1203): The malicious package executes a trojan on Windows systems.

Command and Control (T1071): The package attempts to download ‘crytic-compile’ from its GitHub repository while executing malicious payloads.

Defense Evasion (T1203): The script checks the operating system to conditionally execute the trojan, evading detection on non-Windows platforms.

IoC:

[File Name] s.exe

[File Hash] b09ef792135fd0896ce7eb57638ea9199f1ae37f4a374398198a54bd84e2a5a2

Full Research: https://socket.dev/blog/trojan-embedded-in-crytic-compilers-python-package

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print