Malicious packages found to be typo-squatting in Python Package Index
Hayley Denbraver
December 5, 2019
0 mins readTwo malicious packages were removed from the Python Package Index (PyPI) this week. These packages, jeIlyfish
(a misspelling of the package jellyfish
only noticeable when using certain fonts) and python3-dateutil
(impersonating the popular dateutil
package), were taking advantage of something called “typo-squatting”. Typo-squatting occurs when a malicious package is uploaded with a name similar to a common package in an attempt to get users to download the malicious version.
This post will summarize what is known about the packages, detail what is good and bad about the situation, and share relevant lessons associated with this incident. You can also find more information in our vulnerability database here and here.
What is known
The exploit is part of the jeilyfish
package. The python3-dateutil
package has the jeilyfish
library as a sub dependency. The exploit is not currently fully understood, but it appears to steals SSH and GPG keys from infected machines and sends them to a remote server. Both packages have been removed from PyPI.
Bad news
The
jeilyfish
library has been on PyPI for nearly a yearBecause the nature of the exploit is not fully understood, its impact on those who have downloaded it is difficult to estimate
Both malicious packages included all the functionality of the packages they were impersonating, meaning it would be easy to accept the malicious packages as correct
Typo-squatting has been a problem for many package managers, not just PyPI, and is likely to remain a problem
Good news
The number of downloads for the libraries is relatively low, maybe a few hundred people have been compromised
The
python3-dateutil
package has only been on PyPI for a couple of daysBoth malicious libraries have been removed
It is easy to check your project for either vulnerability, Snyk is free to use and can tell you if your project is compromised
Lessons going forward
Always be careful when downloading packages, be precise about spelling, and never guess a package name
Typo-squatting can inject malicious packages through indirect dependencies, which can be hard to spot
Keep an eye on your dependency tree, it is important to know what you are using so you can spot problems when they occur
Malicious packages within popular open source repositories have become increasingly common. If you believe you found a potential malicious package, you can report it to Snyk via our open source packages disclosure policy.
Start securing your open source packages with Snyk!
Get started in capture the flag
Learn how to solve capture the flag challenges by watching our virtual 101 workshop on demand.