Python libraries imitating ‘dateutil’ and ‘jellyfish’ caught stealing SSH and GPG keys

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (

Two malicious Python libraries have been caught stealing SSH and GPG keys from developers over the past year.

The libraries were part of PyPI (Python Package Index) and imitated two popular non-malicious libraries using typosquatting.

The first library is “python3-dateutil,” which imitates “dateutil,” a library which provides extensions to Python’s standard datetime module.

Next up is the “jeIlyfish” library, with the first “L” being an “I” to register a similar name for tricking developers into believing they’re using the original library. The real ”jellyfish” library is used for doing approximate and phonetic matching of strings.

Both of the malicious libraries were discovered earlier this month by Lukas Martini, a German software developer. The libraries were removed the same day as Martini notified the Python security team.

Fortunately, thanks to Martini’s quick observation, the python3-dateutil library was only live for two days. jeIlyfish, however, was live for almost a year (since December 11, 2018).

The python3-dateutil library did not contain any malicious code itself, but it did import the jeIlyfish library which does.

On PyPI Stats, the malicious jeIlyfish library was apparently downloaded:

  • Last day: 13

  • Last week: 103

  • Last month: 119 

The code in the library appears to steal SSH and GPG keys from a user’s computer and send it to the IP address

All developers are advised to check if they’ve accidentally downloaded or imported the malicious libraries rather than the originals. If so, it’s advisable to change all SSH and GPG keys used over the past year.

Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located 5G ExpoIoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *