Lazarus Group Targets Python Developers with Malicious Packages

The North Korea-supported hacker group Lazarus has uploaded four malicious packages to the Python Package Index (PyPI) repository, aiming to infect developers’ systems with malevolent software.

The implicated packages—“pycryptoenv,” “pycryptoconf,” “quasarlib,” and “swapmempool”—have been expunged from the platform, but not before accumulating 3,269 downloads, with “pycryptoconf” leading in popularity at 1,351 downloads.

Shusei Tomonaga, a researcher from the Japanese Computer Emergency Response Team Coordination Center (JPCERT), highlighted that the names “pycryptoenv” and “pycryptoconf” bear resemblance to “pycrypto,” a well-regarded Python package for encryption, indicating a deliberate typosquatting attack aimed at developers.

This revelation follows the recent identification of several malicious packages in the npm registry by the research firm Phylum, targeting developers actively seeking employment.

A commonality between these campaigns is the malicious code concealed within a test script, ostensibly serving as a facade for an XOR-encoded DLL file.

This file generates two additional DLL files named “IconCache.db” and “NTUSER.DAT,” subsequently employed to load and execute the malicious Comebacker program, facilitating communication with a control server to run a Windows executable.

According to JPCERT officials, these discovered packages are part of a campaign first described by Phylum in November 2023, utilizing npm modules related to cryptocurrencies to deliver the Comebacker malware.

Shusei Tomonaga warns that such attacks prey on user inattention, leading to the inadvertent downloading of malicious software. Developers are advised to exercise caution when installing packages from repositories and other software sources to avert the unwelcome introduction of malicious software.