Developers attacked: Two Python package trojans spread via popular PyPI website

  • Liam Tung (CSO Online)
  • 05 December, 2019 05:55

Some Python developers unwittingly allowed malicious libraries to steal SSH and GPG keys from open source projects. 

Python developers discovered over the weekend that a scammer had created fake versions of two legitimate Python add-on packages that were embedded with malware designed to steal SSH and GNU GPG keys from developers’ computers. 

The fake Python software libraries posed a threat to developers who use the language for open source projects, and was distributed via the Python Software Foundation’s PyPI (Python Package Index) website, which is where many developers download additional Python software libraries or packages from.  

The packages were designed to dupe users of the popular “dateutil” tool as well as a tool called “jellyfish”, both using typo squatting techniques that replace letters. In the case of jellyfish, the first L was swapped out for an I in the fake library. 

As ZDNet reported on Wednesday, the bogus dateutil package — called “python3-dateutil” — didn't contain malicious code itself, but rather imported the malicious jeIlyfish library, which downloads code from a GitLab repository that tries to steal SSH and GPG keys from the victim’s computer and sent it to a an IP address. 

Paul Ganssle, a developer of dateutil speculated that the code was designed to give the attacker a picture of the projects for which the keys worked, which would allow the attacker to compromise multiple projects from a victim.   

Both fake versions of the software libraries were removed immediately after a German coder, Lukas Martini, informed the developers of dateutil and the PyPI security team

The python3-dateuti was only available for download for two days before being taken down, but the fake ‘jellyfish’ library has been available for almost a year.

Developers who inadvertently installed the malicious packages should change  SSH and GPG keys use in the past past year.