Two malicious libraries Python, which were found to steal SSH and GPG keys from developer projects, have been removed from PyPI (Python Package Index).
The two libraries were created by a developer and mimicked other popular Python libraries, and their creator used the technique typosquatting to register homonymous names.
One library, called "python3-dateutil", mimicked the popular "dateutil", while the second, "jeIlyfish" (the first L is a capital i), mimicked "jeIlyfish".
While python3-dateutil was created and uploaded to PyPI just two days before it was discovered, library jeIlyfish has been available for almost a year, since 11 December 2018.
As Martini said, malicious code was only found in the jellyfish library. The most recent python3-dateutil did not contain malicious software itself, but it did help install jellyfish.
The code did download for free a fragmented list archives that were stored in a repository GitLab. The nature and purpose of these files were initially unknown, as neither Martini nor the PyPI team had thoroughly analyzed their behavior prior to their definitive removal.
Both malicious libraries were downloaded to PyPI by the same developer who used the olgired2017 username.
It is believed that the developer created the copy to exploit the popularity of the Python library so that it could spread malicious code to a greater extent. But what he finally managed to do was draw more attention to her and then reveal.
The two libraries were true copies of the regular ones, with the exception of him malicious code, they worked in exactly the same way.
Because of their similarities, the developers who have downloaded these libraries into their projects, should check their names to see if they have downloaded the copies in error.
If so, all SSH and GPG keys that have been used in the last year should be changed.
This is not the first time the PyPI team has been forced to encounter Python library clones. Similar incidents also occurred in September of 2017, in October of 2018 and in July of 2019.
How useful was this post?
Average rating / 5. Vote count:
No votes so far! Be the first to rate this post.