Python libraries imitating ‘dateutil’ and ‘jellyfish’ caught stealing SSH and GPG keys

Two malicious Python libraries have been caught stealing SSH and GPG keys from developers over the past year.

The libraries were part of PyPI (Python Package Index) and imitated two popular non-malicious libraries using typosquatting.

The first library is “python3-dateutil,” which imitates “dateutil,” a library which provides extensions to Python’s standard datetime module.

Next up is the “jeIlyfish” library, with the first “L” being an “I” to register a similar name for tricking developers into believing they’re using the original library. The real ”jellyfish” library is used for doing approximate and phonetic matching of strings.

Both of the malicious libraries were discovered earlier this month by Lukas Martini, a German software developer. The libraries were removed the same day as Martini notified the Python security team.

Fortunately, thanks to Martini’s quick observation, the python3-dateutil library was only live for two days. jeIlyfish, however, was live for almost a year (since December 11, 2018).

The python3-dateutil library did not contain any malicious code itself, but it did import the jeIlyfish library which does.

On PyPI Stats, the malicious jeIlyfish library was apparently downloaded:

  • Last day: 13

  • Last week: 103

  • Last month: 119 

The code in the library appears to steal SSH and GPG keys from a user’s computer and send it to the IP address 68.183.212.246

All developers are advised to check if they’ve accidentally downloaded or imported the malicious libraries rather than the originals. If so, it’s advisable to change all SSH and GPG keys used over the past year.

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located 5G ExpoIoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.