(Star Python developers to improve Python skills)
Original: Python Developer (id: PythonCoder)
Tips: For children's shoes with jellyfish library installed in the last year, please check yourself after reading this article.
Malicious third-party Python libraries that stole SSH and GPG keys were uncovered.
According to a report by ZDNet on December 4, the PyPi security team deleted two malicious Python libraries and discovered that they had stolen SSH and GPG keys from the projects of the developers recruited .
These two malicious libraries are from the same developer olgired2017, who copied the well-known Python library from the library name.
> The full name of the first malicious library is: python3 dateutil, which imitates the dateutil library;
(The library was created on November 29 and only survived for a few days.)
> The second malicious library is jeIlyfish (the first is not lowercase) The L, but the capital i), it imitates the jellyfish library.
(The library was created on December 11, 2018, and has a survival time of nearly 1 year.)
On December 1, German developer Lukas Martini discovered the malicious library and reported it to the author of the dateutil library and the PyPi team. The malicious library was subsequently deleted.
Martini researched and found that the malicious code only exists in the jeIlyfish library. The python3 dateutil library itself does not contain malicious code, but it does import the jeIlyfish library.
ZDNet asked Paul Ganssle, a member of the dateutil development team, to carefully study the malicious code.
Ganssle said: "The malicious library jeIlyfish has a file named hashsum in Gitlab. The file name is unremarkable, but it will filter out SSH and GPG keys from the computer recruiting developers, and then send them to this IP address: 68.183.212.246:32258."
In addition, it will also obtain the directory, home directory, and PyCharm project directory on the victim's computer. This should be used to analyze which items of the victim are worth attacking/theft.
Excluding the malicious code part (except stealing the key), the two counterfeit malicious libraries all include the code of the main library. This means that the malicious library can complete the function of the main library.
Given that the malicious library jeIlyfish has been alive for nearly a year, I suggest you check it out. If you are recruited, modify all SSH and GPG keys for the last year.
PS:
> This is the fourth time the PyPi team has deleted the malicious library. 10 libraries were deleted in September 2017, 12 libraries were deleted in 2018, and 3 libraries were deleted in July 2019.
> o and 0, lowercase L and uppercase i... have always been the favored operation of malware
Recommended reading
(Click the title to jump to read)
PyPI found 3 malicious libraries targeting Linux servers
Python officially launched a new PyPI website, and the old PyPI was closed on April 30
New ranking of computer skills demand: Python only ranks 3rd, you may not guess it
Think this article is helpful to you? Please share with more people
Pay attention to the "Python Developer" starred to improve Python skills
Good article, I am reading ❤️