Sunday, May 19, 2024

Two Malicious Python Packages Steal SSH and GPG Keys Exists in the Python Package Index for a Year

The python security team has removed two malicious python packages that introduced with the Python Package Index (PyPI) aimed to steal SSH and GPG keys from the infected developer projects.

PyPI is a python repository that helps to locate and install the software developed and shared by the Python community. It includes Over 113,000 Python packages, users can find the packages based on keywords and by using filter data.

Malicious Python Packages

The two malicious python packages “python3-dateutil” and “jeIlyfish,” developed by the same developer with handle “olgired2017″. The malicious package “python3-dateutil” found to present in the repository for more than a year, another package is a short-lived one.

Both of the malicious packages identified by the German developer Lukas Martini and he reported to the python security team and the packages have been removed now.

“Just a quick heads-up: There is a fake version of this package called python3-dateutil on PyPI that contains additional imports of the jeIlyfish package (itself a fake version of the jellyfish package, that first L is an I). That package, in turn, contains malicious code starting at line 313 in jeIlyfish/”

The two malicious packages resemble the original packages of ‘dateutil’ and ‘jellyfish’, “python3-dateutil” impersonates ‘dateutil’ and “jeIlyfish” (the first L is an I) imitated the “jellyfish” library.

dateutil – It is the standard datetime module, available in Python, it can be installed from PyPI using the pip command pip install python-dateutil. It can be also downloaded from here.

jellyfish – It is a python library for doing approximate and phonetic matching of strings. It can be also downloaded from here.

The “python3-dateutil” not having any malicious strings, it imports another malicious package “jeIlyfish” which steals the SSH and GPG keys from developer projects.

If you are using ‘dateutil’ and ‘jellyfish’, it is recommended to check that the installed package is the legitimate one.

To note, Python language emerges as the most common vector for launching exploit attempts.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles