Two Malicious Python Libraries Caught Stealing SSH and GPG Keys

The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers. From a report: The two libraries were created by the same developer and mimicked other more popular libraries -- using a technique called typosquatting to register similarly-looking names. The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (the first L is an I), which mimicked the "jellyfish" library. The two malicious clones were discovered on Sunday, December 1, by German software developer Lukas Martini. Both libraries were removed on the same day after Martini notified dateutil developers and the PyPI security team. While the python3-dateutil was created and uploaded on PyPI two days before, on November 29, the jeIlyfish library had been available for nearly a year, since December 11, 2018.

speed up detection of this kind of fraud?

[Organic Brain Damage]

A clever white-hat could write a program that looks for capital i's next to lowercase l's and checks the word vs. dictionary to see if subbing the lowercase 'l' for the capital 'i' transforms the name from a spelling error to a legit word and flag those as potential hacks deserving more scrutiny.

Re:

[The New Guy 2.0]

I've had this problem on Slashdot with my previous screenname. Seems trivial to write a program that says "you may not have a capital i where a lowercase L is being used by somebody else..."

Scarey

[pi_rules]

When I saw python3-dateutil in the list this morning I was a bit worried. Thankfully it was only out for a couple of days. In the Debian system there's a system package called python3-dateutil and, at times, I have used that to globally install dateutil on systems.

It would have been pretty easy for me to pip install python3-dateutil instead of apt install python3-dateutil.

Re:

[Jaime2]

Yes, it is easy. What's hard, is that I spend hundreds of hours every year telling my developers that packages can't be trusted by default. I'm not saying you can't trust them, there simply has to be a vetting process.

For example, it would be great if the package has existed for a significant time, was used by many projects, and has a product identifier in the National Vulnerability Database. That's not a lot to ask. If this isn't possible, at least pin the version and run it through a static analysis progr

Re:

[110010001000]

" is that I spend hundreds of hours every year telling my developers that packages can't be trusted by default"
 
Do you also take the specs from the customers to the developers?

Re:

[Jaime2]

No. My job is to educate all of IT how to integrate good security practices into whatever they do. This particular lesson is not well received, but ignoring it is tantamount to negligence.

Re:

[thereddaikon]

Or you know, instead of pulling packages from a third party repo directly have local copies that have been vetted. You can source from the repo originally but the devs shouldn't be doing it themselves. IT should have copies on a network resource. This way you prevent not only issues like in TFA but also prevent stuff like the various NPM fiascos.

Re:

[Jaime2]

I usually recommend this, but there is a strong argument that version pinning provides the same security benefits, as long as the scanning tools are aware of the foreign inclusion. The kik fiasco would have still happened with version pinning, so I see your point. On the other had; if you version pin, upgrading the reference is less work.

Re:

[thereddaikon]

Sorry, what's the kik fiasco? The only thing related to them I'm familiar with is abruptly shutting down the app in favor of running a crypto currency.

Anyways, local copies also protects against supply chain attacks which version pinning does not. This attack vector is growing more and more in popularity as of late. I understand that devs may chafe at the notion that they can't just pull any library they want from wherever they want, whenever they want. Most that I have worked with have been very independen

Re:

[Jaime2]

The kik fiasco was when a popular npm package named "kik" changed its name at the behest of the owner of the messaging app Kik. https://blog.npmjs.org/post/14... [npmjs.org] . A large part of the world broke.

P.S. I fully support your rant.

Re:

[gweihir]

That was probably the idea behind the naming...

Correct me if I'm wrong

[Ryzilynt]

It sounds like this "jeIlyfish" library would largely be targeting those that are copy/pasting code from a malicious source.

Re: Correct me if I'm wrong

[mapkinase]

It's all from bad keming and stupid typesets

This is why I avoid 3rd party packages as a rule.

[jellomizer]

As a general rule I avoid installing 3rd party libraries for my software. When I do, they should be offering something of real value, such as pypyodbc which allows me to connect to a database. Or tools which can output as a formatted Excel file.

But for a lot of these 3rd party libraries, you put yourself at risk of downloading a malicious library. Getting a Library that isn't going to be supported into the next version, Library that will only work on a particular OS... The time and resources for me to validate most libraries takes more time then it does for me to code the workaround.

This isn't just with Python, but with RUST Cargo, .NET NuGet...

This stance usually get me into fights with Jr. Developers who just want to get the project done not thinking of the long term maintenance of the program. My goal is to get the raw source code that is decades old from source control, fix a couple lines of code and able to recompile and deploy. Not spend days on an old program finding all the 3rd party stuff. Sometimes having their licenses change so I have to buy what was once free, or change all the code around to use a new library, where the actual fix may have been to just ad a new recorded field to be stored. Being that the code may be 10 years old, I really don't want to spend weeks on it, I just want to fix, test, deploy document changes. Then forget about it for an other decade.

Re:

[skaralic]

This is absolutely the correct approach when building something that should last. In my previous company I wrote the entire backend in PHP, starting in 2007, with exactly zero external libraries, only using the PHP built-ins. Code still runs with no issues.

font family fix

[Anonymous Coward]

Wouldn't using a strong serif [typedia.com] font solve some of this form of typosquatting? That whole capital I instead of a lowercase l would stand out immediately.

Re:

[MyFirstNameIsPaul]

Is this also related to tools being used? In PuTTY (Windows), Ubuntu, and Mint terminals it is impossible for me to mistake l from I even from across the room.

Re:

[KiloByte]

These terminals use whatever font you configure them for. And, fixed-width fonts hardly ever are vulnerable to the l vs I homograph attack.

What's his name?

[sentiblue]

It's a damn shame that someone with pretty darn good skills who can write python lib and did it for the most disrespected purpose in the industry. It would be nice to know the crook's name so that he could get banned everywhere else.

Re:

[telek83]

You one of those... What people do doesn't matter, your trying to publicly shame him for being smarter then you. Rules are meant to be bent and broken, if people are stupid enough to fall for it, then the problem isn't the person who wrote it, it's lack of education with the general public. People should never have to dumb down themselves to make others feel safe or better about themselves... this is how this pandering shit got started.

You want to do something useful? Catch them! Don't attempt to dox someon

Use better fonts

[reanjr]

This problem is largely mitigated with proper typography. My terminal uses a serif font. I suggest others do the same.

Re:

[llamalad]

I came here to say this. There are some GREAT fonts out there for coding, and this article is a brilliant example of why it matters.

My personal favorite is Bitstream Vera Sans Mono.
But there are dozens (or hundreds) of choices out there; google it, find one you like, and use it.

Re:

[aberglas]

Use Microsoft's Verdana. Letters are different and easy to read. I think they made it free.

No need to use a Mono Seriffed font.

Re:

[account_deleted]

Comment removed based on user account deletion