Two malicious Python libraries have been caught stealing SSH and GPG keys from developers over the past year.
The libraries were part of PyPI (Python Package Index) and imitated two popular non-malicious libraries using typosquatting.
The first library is “python3-dateutil,” which imitates “dateutil,” a library which provides extensions to Python’s standard datetime module.
Next up is the “jeIlyfish” library, with the first “L” being an “I” to register a similar name for tricking developers into believing they’re using the original library. The real ”jellyfish” library is used for doing approximate and phonetic matching of strings.
Both of the malicious libraries were discovered earlier this month by Lukas Martini, a German software developer. The libraries were removed the same day as Martini notified the Python security team.
Fortunately, thanks to Martini’s quick observation, the python3-dateutil library was only live for two days. jeIlyfish, however, was live for almost a year (since December 11, 2018).
The python3-dateutil library did not contain any malicious code itself, but it did import the jeIlyfish library which does.
On PyPI Stats, the malicious jeIlyfish library was apparently downloaded: