Lazarus Sneaks PyPI Malware into Development Systems by Using Typos

Four packages were published to the Python Package Index (PyPI) repository by the well-known state-sponsored hacker outfit Lazarus from North Korea, to infect developer PCs with malware. The packages quasarlib, swapmempool, pycryptoenv, and pycryptoconf have now been removed. Altogether, they have been downloaded 3,269 times, with 1,351 downloads going to pycryptoconf.

According to JPCERT/CC researcher Shusei Tomonaga, “the package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python. Therefore, the attacker probably prepared the malware-containing malicious packages to target users’ typos in installing Python packages.”

Days prior, as part of a campaign dubbed Contagious Interview, Phylum discovered multiple malicious packages on the npm registry that were being used to target software engineers. This revelation follows that discovery.

What's interesting to note about both attack sets is that the malicious code is hidden inside the test script (called “”). However, in this instance, the test file serves only as a smokescreen for an XOR-encoded DLL file that generates the DLL files NTUSER.DAT and IconCache.db.

The malware known as Comebacker, which is in charge of establishing connections with a Command-and-Control (C2) server to fetch and run a Windows executable file, is then loaded and executed by the attack sequence using NTUSER.DAT. According to JPCERT/CC, the packages are an extension of Phylum's campaign, which it initially described in November 2023 and which used npm modules with a crypto theme to disseminate Comebacker.

“Attackers may be targeting users' typos to have the malware downloaded. When you install modules and other kinds of software in your development environment, please do so carefully to avoid installing unwanted packages.” Tomonaga stated.