Two Python libraries are offline for stealing ssh and gpg keys

Spread the love

Two Python libraries have been taken offline after they were found to contain phishing malware. According to the security team behind the software, these are libraries that abused typosquatting.

The libraries were discovered this weekend by a security researcher. The team behind Python then took the libraries offline, they write on GitHub. These were a fake version of jellyfish with the first l written as an i, and python3-dateutil, a cloned version of the standard dateutil library, which is very popular. The python3-dateutil code itself contained no malware, but did load in jellyfish which in turn did contain malware.

The libraries contained a file called hashsum that was decrypted into a usable Python executable, ZDnet writes, which had the malware analyzed. The executable attempted to collect ssh and gpg keys from a system and send them to a command-and-control server. Outside of the malware, the libraries worked exactly like the software they cloned.

The python3-dateutil library was only online for two days. It was different for jeIlyfish: it had been active for more than a year. It is not known how often the malware has been downloaded. Both packages have since been taken offline.

You might also like