The Python security team removed two malicious Python libraries from PyPI (Python Package Index) that were found to steal SSH and GPG keys. Both libraries were created by the same developer and used a similar name method to mimic known popular libraries: python3-dateutil tries to mimic the popular dateutil library, and jeIlyfish mimics the jellyfish library.
German developer Lukas Martini discovered the two malicious libraries on Sunday and were immediately removed after notifying the security team.
Martini claims that malicious code exists only in jeIlyfish, and that python3-dateutil itself does not contain malicious code, but it imports the jeLyfish library.
A review by Paul Ganssle, a member of the dateutil development team, suggests that malicious code is an attempt to steal SSH and GPG keys from the user’s computer and send them to an IP address.