Two new malicious packages were found on the Python Packaging Index (PyPI) that were designed to steal GPG and SSH keys according to ZDNet. The packages were named python3-dateutil and jeIlyfish where the first “L” is actually an I. These two libraries mimicked the dateutil and jellyfish packages respectively.
The fake python3-dateutil would import the fake jeIlyfish library which housed the malicious code that would attempt to steal GPG and SSH keys. While both of these libraries have been removed from PyPI, this is just another reminder to always be sure that you are installing the right package.
For full details, check out the ZDNet article as it breaks down how the libraries work.
Related Reading
- New Malicious Python Libraries Found Targeting Linux
- Malicious Libraries Found on Python Package Index (PyPI)