Two malicious Python 🐍 libraries caught stealing SSH and GPG keys:

From the article:

The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (the first L is an I), which mimicked the "jellyfish" library.

Both have since been removed.

I was thinking about this earlier, when I upgraded jrnl. jrnl uses python-dateutil, which I noticed whizzing past on the terminal as I did the upgrade.

@ParadeGrotesque I like python a lot, but the pip ecosystem is just garbage.

@ParadeGrotesque this is why your ssh and gpg keys should always be password protected.

@Huggles @ParadeGrotesque light reading how factotum works on plan9, why should credentials be so hard to isolate?

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko