Malicious packages found to be typo-squatting in Python Package Index
Two malicious packages were removed from the Python Package Index (PyPI) this week. These packages,
jeIlyfish (a misspelling of the package
jellyfish only noticeable when using certain fonts) and
python3-dateutil (impersonating the popular
dateutil package), were taking advantage of something called “typo-squatting”. Typo-squatting occurs when a malicious package is uploaded with a name similar to a common package in an attempt to get users to download the malicious version.
This post will summarize what is known about the packages, detail what is good and bad about the situation, and share relevant lessons associated with this incident. You can also find more information in our vulnerability database here and here.
What is known
The exploit is part of the
jeilyfish package. The
python3-dateutil package has the
jeilyfish library as a sub dependency. The exploit is not currently fully understood, but it appears to steals SSH and GPG keys from infected machines and sends them to a remote server. Both packages have been removed from PyPI.
jeilyfishlibrary has been on PyPI for nearly a year
- Because the nature of the exploit is not fully understood, its impact on those who have downloaded it is difficult to estimate
- Both malicious packages included all the functionality of the packages they were impersonating, meaning it would be easy to accept the malicious packages as correct
- Typo-squatting has been a problem for many package managers, not just PyPI, and is likely to remain a problem
- The number of downloads for the libraries is relatively low, maybe a few hundred people have been compromised
python3-dateutilpackage has only been on PyPI for a couple of days
- Both malicious libraries have been removed
- It is easy to check your project for either vulnerability, Snyk is free to use and can tell you if your project is compromised
Lessons going forward
- Always be careful when downloading packages, be precise about spelling, and never guess a package name
- Typo-squatting can inject malicious packages through indirect dependencies, which can be hard to spot
- Keep an eye on your dependency tree, it is important to know what you are using so you can spot problems when they occur