Developer Lukas Martini discovered that malicious Python libraries stole SSH and GPG keys. As a result, two libraries that were caught stealing keys from developer projects were removed from the PyPI repository. One of the libraries went unnoticed for almost a year.
Both libraries had the same author (olgired2017), who used the typosquatting technique, that means that he called his “products” as closely as possible to other popular libraries, changing only a couple of characters.For example, the first library was python3-dateutil (loaded on November 29, 2019), which imitates the popular dateutil, and the second is jeIlyfish (the first “L”, this is actually “I”; loaded on December 11, 2018), disguised as jellyfish.
German developer Lukas Martini discovered malicious clones on December 1, 2019 and hastened to notify the Python security team. Both libraries were removed from PyPI on the same day.
The malicious code was present only in the jeIlyfish library. The python3-dateutil package didn’t contain malicious code of its own, but it did import the jeIlyfish library, meaning it was malicious by association”, — Lukas Martini wrote.
Since neither Martini nor PyPI representatives explained exactly what the malicious libraries were doing, ZDNet reporters asked for a comment from dateutil developer Paul Ganssle.
The malicious code in jeIlyfish downloaded from GitLab a file called hashsum, which at first glance looked like complete nonsense, but then it was decoded into a Python file and executed. It seems that [this file] tried to steal SSH and GPG keys from the user’s computer and send them to this IP address: http: //68.183.212 [.] 246: 32258”, — the expert said.
In addition, the attacker was clearly trying to determine for which projects the credentials could work (a list of a number of directories was compiled, including home and PyCharm Projects) in order to compromise the products of the victim developer.
It is believed that olgired2017 created the dateutil clone in an attempt to capitalize on the original’s library popularity and increase the reach of the malicious code; however, this also brought more attention from more developers and eventually ended up in exposing his entire operation”, — write ZDNet journalists.
Recall that before this case, malicious libraries in PyPI were detected three times already in recent years
Recommendations:
Developers who didn’t pay attention to the libraries they downloaded or imported into their projects should check to see if they’ve used the correct package names and did not accidentally use the typosquatted versions.
If they accidentally used any of the two, developers are advised to change the all SSH and GPG keys they’ve used over the past year.
Read also: 61% of all malicious ads target Windows users: How to Protect Yourself?