---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fccbd481dd2bd04274c5045995a08ddbcf302780c24f39eb63821d5d63a998d1)

The PyPI name 'libhmac' matches the well-known libyal/libhmac C forensics library (HMAC primitive), but the package contents have nothing to do with HMAC primitives. The shipped code is a complete Chromium-family browser-extension hijacking toolkit. ChromeManager.ReplaceInPlaceExtensions (src/libhmac/extension_patcher.py) enumerates all Chrome/Edge/Brave/Vivaldi profiles for the current user, copies attacker payload bytes (dm_core_bg.js, dm_core_bg.wasm) into each extension's version directory, rewrites manifest.json to add <all_urls> host permissions and a relaxed content_security_policy (wasm-unsafe-eval, broad connect-src), strips extensions.ui.developer_mode_encrypted_hash from Chrome's Secure Preferences (src/libhmac/preferences_handler.py:84), and recomputes Chrome's super_mac using the per-browser HMAC seed extracted from resources.pak (src/libhmac/hmac_calculator.py:223) to defeat tamper detection. The advertised purpose in pyproject.toml is 'Chromium extension host sync, CSP relaxation, and in-place extension patching'. Author metadata is a placeholder ('libhmac maintainers', no email, no homepage, no repo) under a 'Proprietary' license. A developer who runs pip install libhmac expecting the libyal HMAC library instead pulls in a browser-compromise toolkit; downstream packages can import libhmac to weaponize any installer's browser profiles. The combination of name impersonation of an established OSS library, anonymous maintainer identity, and offensive capability with no legitimate dual-use framing is the fingerprint of namespace-abuse malware infrastructure.

Source: kam193 (9bb9951f337f12dd13b75c0646ac2c38680ea60f2ad841b9f102e441993c9c56)

The package is a loader of an infostealer that modifies browser extensions to intercept credentials and cryptowallet data. The installation is not automatic, the code is intended to be triggered externally, but includes hardcoded exfiltration target.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-libhmac

Reasons (based on the campaign):

• crypto-related

• exfiltration-credentials

• exfiltration-crypto

• exfiltration-browser-data