A couple of Python libraries that posed as real components were caught stealing SSH and GPG keys from projects that used them.
Software developer Lukas Martini discovered that the python3-dateutil and jeIlyfish libraries in the PyPI (Python Package Index) were actually designed to imitate the real dateutil and jellyfish packages to steal the SSH and GPG keys.
The two libraries had different names than the originals, with jeIlyfish differing only by one letter. This type of mechanic has a long history of use on Unix environments, but it’s not exclusive. The most worrying aspect is that, while python3-dateutil was only available for two days, the fake jeIlyfish library stayed up for more than a year.
“Just a quick heads-up: There is a fake version of this package called python3-dateutil on PyPI that contains additional imports of the jeIlyfish package (itself a fake version of the jellyfish package, that first L is an I),” said Martini. “I’ve sent an email to the Python security team and hope they’ll take the package (as well as the other ones by the user) down soon, but in the meantime it might be a good idea to check if you have the correct version installed.”
According to ZDNet, dateutil developer Paul Ganssle analyzed the files and determined that python3-dateutil called for the installation and use of jeIlyfish, which would try to find SSH and GPG from the project and send them to the IP address http://220.127.116.11:32258.
While the PyPI project removed the libraries, developers still using them should purge their repositories and make sure they are not in use.