The Python security team removed two malicious Python libraries from PyPI that were found to steal SSH and GPG keys. Both libraries were created by the same developer. The first is “python3-dateutil,” which imitated the popular “dateutil” library. The second is “jeIlyfish” (the first L is an I), which mimicked the “jellyfish” library.
German developer Lukas Martini discovered the two malicious libraries on Sunday and they were removed immediately after notifying the security team. Martini claims that the malicious code exists only in jeIlyfish, and python3-dateutil does not contain malicious code itself, but it imports the jeIlyfish library.
Analysis by date development team member, Paul Ganssle concluded that the malicious code was trying to steal SSH and GPG keys from the user’s computer and then sending it to an IP address. “It looks like [this file] tries to exfiltrate SSH and GPG keys from a user’s computer and send them to this IP address: http://220.127.116.11:32258.” “It also lists a bunch of directories, home directory, PyCharm Projects directory,” Ganssle added. “If I had to guess what the purpose of that is, I would say it’s to figure out what projects the credentials work for so that the attacker can compromise that person’s projects.”