A couple of Python libraries that posed as real
components were caught stealing SSH and GPG keys from projects that used them.
Software developer Lukas Martini discovered that the python3-dateutil
and jeIlyfish libraries in the PyPI (Python Package Index) were actually
designed to imitate the real dateutil and jellyfish packages to steal the SSH
and GPG keys.
The two libraries had different names than the originals,
with jeIlyfish differing only by one letter. This type of mechanic has a long
history of use on Unix environments, but it’s not exclusive. The most worrying
aspect is that, while python3-dateutil was only available for two days, the
fake jeIlyfish library stayed up for more than a year.
“Just a quick heads-up: There is a fake version of this
package called python3-dateutil on PyPI that contains additional imports of the
jeIlyfish package (itself a fake version of the jellyfish package, that first L
is an I),” said Martini.
“I’ve sent an email to the Python security team and hope they’ll take the
package (as well as the other ones by the user) down soon, but in the meantime
it might be a good idea to check if you have the correct version installed.”
According to ZDNet,
dateutil developer Paul Ganssle analyzed the files and determined that python3-dateutil
called for the installation and use of jeIlyfish, which would try to find SSH
and GPG from the project and send them to the IP address http://220.127.116.11:32258.
While the PyPI project removed the libraries, developers still
using them should purge their repositories and make sure they are not in use.