Two Malicious Python Packages Steal SSH and GPG Keys Exists in the Python Package Index for a Year

The python security team has removed two malicious python packages that introduced with the Python Package Index (PyPI) aimed to steal SSH and GPG keys from the infected developer projects.

PyPI is a python repository that helps to locate and install the software developed and shared by the Python community. It includes Over 113,000 Python packages, users can find the packages based on keywords and by using filter data.

Malicious Python Packages

The two malicious python packages “python3-dateutil” and “jeIlyfish,” developed by the same developer with handle “olgired2017″. The malicious package “python3-dateutil” found to present in the repository for more than a year, another package is a short-lived one.

Both of the malicious packages identified by the German developer Lukas Martini and he reported to the python security team and the packages have been removed now.

“Just a quick heads-up: There is a fake version of this package called python3-dateutil on PyPI that contains additional imports of the jeIlyfish package (itself a fake version of the jellyfish package, that first L is an I). That package, in turn, contains malicious code starting at line 313 in jeIlyfish/_jellyfish.py:”

The two malicious packages resemble the original packages of ‘dateutil’ and ‘jellyfish’, “python3-dateutil” impersonates ‘dateutil’ and “jeIlyfish” (the first L is an I) imitated the “jellyfish” library.

dateutil – It is the standard datetime module, available in Python, it can be installed from PyPI using the pip command pip install python-dateutil. It can be also downloaded from here.

jellyfish – It is a python library for doing approximate and phonetic matching of strings. It can be also downloaded from here.

The “python3-dateutil” not having any malicious strings, it imports another malicious package “jeIlyfish” which steals the SSH and GPG keys from developer projects.

If you are using ‘dateutil’ and ‘jellyfish’, it is recommended to check that the installed package is the legitimate one.

To note, Python language emerges as the most common vector for launching exploit attempts.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.