Lumma is an information-stealing malware-as-a-service (MaaS) that has been rented to cybercriminals since 2022 for $250-$1000/month and distributed via various means, including malvertising, YouTube comments, torrents, and, more recently, GitHub comments.