Fake Python Libraries Caught Trying to Steal SSH and GPG Keys

A couple of Python libraries that posed as real components were caught stealing SSH and GPG keys from projects that used them.

Software developer Lukas Martini discovered that the python3-dateutil and jellyfish libraries in the PyPI (Python Package Index) were actually designed to imitate the real dateutil and jellyfish packages to steal the SSH and GPG keys.

The two libraries had different names than the originals, with jellyfish differing only by one letter. This type of mechanic has a long history of use on Unix environments, but it’s not exclusive. The most worrying aspect is that, while python3-dateutil was only available for two days, the fake jellyfish library stayed up for more than a year.

If you are interested to learn Python you can enroll for a free live demo in Python Online course

“Just a quick heads-up: There is a fake version of this package called python3-dateutil on PyPI that contains additional imports of the jellyfish package (itself a fake version of the jellyfish package, that first L is an I),” said Martini. “I’ve sent an email to the Python security team and hope they’ll take the package (as well as the other ones by the user) down soon, but in the meantime, it might be a good idea to check if you have the correct version installed.”

According to ZDNet, dateutil developer Paul Ganssle analyzed the files and determined that python3-dateutil called for the installation and use of jellyfish, which would try to find SSH and GPG from the project and send them to the IP address

While the PyPI project removed the libraries, developers still using them should purge their repositories and make sure they are not in use.