Some Key Stealing Libraries Found in Python Package Index

Two key stealing libraries were found in the PyPi Python Package Index (archived).  One mimicked the dateutil library by prepending a "python3-" so that suckers could stumble into python3-dateutil. The other, mimicked the jellyfish library but swapped a lowercase L for a capital i. Both were allegedly uploaded by the same user and exfiltrated data to the same destination. This is not the first time PyPi has had to remove malware mimicking popular packages, but they remain open to all comers and continue to exercise little actual control over the namespace they index.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>