Two different malicious Python libraries have been pulled off of the Python Package Index (PyPI) after they were found to be stealing SSH and GPG Keys from other developers. These malicious libraries were both created by the same developer, username olgired2017, and made to look like two other well-known libraries. These libraries were “python3-dateutil” which looked similar to “dateutil” and “jeIlyfish,” with the first “L” replaced by an uppercase letter “i,” which was designed to mimic “jellyfish.” Lukas Martini, a German software developer, discovered both malicious libraries on December 1st, 2019 and reported them to the team at PyPI. When PyPI took a look, they found that the python3-dateutil was created just two days prior on November 29th, 2019 while the jeIlyfish library had existed for almost a year since its creation on December 11th, 2018.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is