Python libraries caught stealing SSH and GPG keys

Started by littleman, December 05, 2019, 07:01:17 PM

Previous topic - Next topic

littleman

Any Python people here?

https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/

python3-dateutil

jeIlyfish

Quote
The two malicious clones were discovered on Sunday, December 1, by German software developer Lukas Martini. Both libraries were removed on the same day after Martini notified dateutil developers and the PyPI security team.

While the python3-dateutil was created and uploaded on PyPI two days before, on November 29, the jeIlyfish library had been available for nearly a year, since December 11, 2018.

rcjordan