Two malicious Python 🐍 libraries caught stealing SSH and GPG keys:
From the article:
The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (the first L is an I), which mimicked the "jellyfish" library.
Both have since been removed.
I was thinking about this earlier, when I upgraded jrnl. jrnl uses python-dateutil, which I noticed whizzing past on the terminal as I did the upgrade.
@ParadeGrotesque I like python a lot, but the pip ecosystem is just garbage.
@ParadeGrotesque this is why your ssh and gpg keys should always be password protected.
"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko