SSH and GPG Keys Being Stolen by Malicious Python Libraries

Threat Watch

Threat Watch SSH and GPG Keys Being Stolen by Malicious Python Libraries

SSH and GPG Keys Being Stolen by Malicious Python Libraries

Two different malicious Python libraries have been pulled off of the Python Package Index (PyPI) after they were found to be stealing SSH and GPG Keys from other developers. These malicious libraries were both created by the same developer, username olgired2017, and made to look like two other well-known libraries. These libraries were “python3-dateutil” which looked similar to “dateutil” and “jeIlyfish,” with the first “L” replaced by an uppercase letter “i,” which was designed to mimic “jellyfish.” Lukas Martini, a German software developer, discovered both malicious libraries on December 1^st, 2019 and reported them to the team at PyPI. When PyPI took a look, they found that the python3-dateutil was created just two days prior on November 29^th, 2019 while the jeIlyfish library had existed for almost a year since its creation on December 11^th, 2018.

ANALYST NOTES

Python developers who use the dateutil or jellyfish libraries should check that they downloaded the correct libraries. If by chance they downloaded the incorrect library, they are advised to replace all of the SSH and GPG keys they have used since installing the malicious libraries and to warn any customers to whom the malicious libraries may have been distributed.

Hackers for Hire: An Overview of the Unethical Services Offered on the Darknet

Intro to Threat Hunting

What is YARA? Get to know this malware research tool

Your sandbox failed. Now What? Static Analysis to the rescue!

Threat Watch

SSH and GPG Keys Being Stolen by Malicious Python Libraries

ANALYST NOTES

Solutions

Industries

Resources

About

Contact Support

Threat Watch

SSH and GPG Keys Being Stolen by Malicious Python Libraries

ANALYST NOTES

Subscribe to Threat Watch

Contact Support