The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers.
The two libraries were created by the same developer and mimicked other more popular libraries -- using a technique called typosquatting to register similarly-looking names.
The two malicious clones were discovered on Sunday, December 1, by German software developer Lukas Martini. Both libraries were removed on the same day after Martini notified dateutil developers and the PyPI security team.
While the python3-dateutil was created and uploaded on PyPI two days before, on November 29, the jeIlyfish library had been available for nearly a year, since December 11, 2018.
Stealing SSH and GPG keys
According to Martini, the malicious code was present only in the jeIlyfish library. The python3-dateutil package didn't contain malicious code of its own, but it did import the jeIlyfish library, meaning it was malicious by association.
The code downloaded and read a list of hashes stored in a GitLab repository. The nature and purpose of these hashes was initially unknown, as neither Martini or the PyPI team detailed the behavior in great depth before the library was promptly removed from PyPI.
ZDNet asked today Paul Ganssle, a member of the dateutil dev team, to take a closer look at the malicious code and put it in perspective for our readers.
"The code directly in the `jeIlyfish` library downloads a file called 'hashsum' that looks like nonsense from a gitlab repo, then decodes that into a Python file and executes it," Ganssle told ZDNet.
"It looks like [this file] tries to exfiltrate SSH and GPG keys from a user's computer and send them to this IP address: http://220.127.116.11:32258."
"It also lists a bunch of directories, home directory, PyCharm Projects directory," Ganssle added. "If I had to guess what the purpose of that is, I would say it's to figure out what projects the credentials work for so that the attacker can compromise that person's projects."
Developers advised to review projects
Both of the malicious libraries were uploaded on PyPI by the same developer, who used the username of olgired2017 -- also used for the GitLab account.
It is believed that olgired2017 created the dateutil clone in an attempt to capitalize on the original's library popularity and increase the reach of the malicious code; however, this also brought more attention from more developers and eventually ended up in exposing his entire operation.
Excluding the malicious code, both typosquatted packages were identical copies of the original libraries, meaning they would have worked as the originals.
Developers who didn't pay attention to the libraries they downloaded or imported into their projects should check to see if they've used the correct package names and did not accidentally use the typosquatted versions.
If they accidentally used any of the two, developers are advised to change the all SSH and GPG keys they've used over the past year.
This is the sixth time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository. Similar incidents have happened in September 2017 (ten libraries), May 2018 (one library), October 2018 (12 libraries), December 2018 (18 libraries) and July 2019 (three libraries).
Article updated one hour after publication with Ganssle's analysis.