Two different malicious Python libraries have been pulled off of the Python Package Index (PyPI) after they were found to be stealing SSH and GPG Keys from other developers. These malicious libraries were both created by the same developer, username olgired2017, and made to look like two other well-known libraries. These libraries were “python3-dateutil” which looked similar to “dateutil” and “jeIlyfish,” with the first “L” replaced by an uppercase letter “i,” which was designed to mimic “jellyfish.” Lukas Martini, a German software developer, discovered both malicious libraries on December 1st, 2019 and reported them to the team at PyPI. When PyPI took a look, they found that the python3-dateutil was created just two days prior on November 29th, 2019 while the jeIlyfish library had existed for almost a year since its creation on December 11th, 2018.
Analyst Notes
Python developers who use the dateutil or jellyfish libraries should check that they downloaded the correct libraries. If by chance they downloaded the incorrect library, they are advised to replace all of the SSH and GPG keys they have used since installing the malicious libraries and to warn any customers to whom the malicious libraries may have been distributed.
