Two malicious Python libraries caught stealing SSH and GPG keys

[Hydrogen]

One library was available for only two days, but the second was live for nearly a year.

The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers.

The two libraries were created by the same developer and mimicked other more popular libraries -- using a technique called typosquatting to register similarly-looking names.

The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (the first L is an I), which mimicked the "jellyfish" library.

The two malicious clones were discovered on Sunday, December 1, by German software developer Lukas Martini. Both libraries were removed on the same day after Martini notified dateutil developers and the PyPI security team.

While the python3-dateutil was created and uploaded on PyPI two days before, on November 29, the jeIlyfish library had been available for nearly a year, since December 11, 2018.

STEALING SSH AND GPG KEYS
According to Martini, the malicious code was present only in the jeIlyfish library. The python3-dateutil package didn't contain malicious code of its own, but it did import the jeIlyfish library, meaning it was malicious by association.

The code downloaded and read a list of hashes stored in a GitLab repository. The nature and purpose of these hashes was initially unknown, as neither Martini or the PyPI team detailed the behavior in great depth before the library was promptly removed from PyPI.

ZDNet asked today Paul Ganssle, a member of the dateutil dev team, to take a closer look at the malicious code and put it in perspective for our readers.

"The code directly in the `jeIlyfish` library downloads a file called 'hashsum' that looks like nonsense from a gitlab repo, then decodes that into a Python file and executes it," Ganssle told ZDNet.

"It looks like [this file] tries to exfiltrate SSH and GPG keys from a user's computer and send them to this IP address: http://68.183.212.246:32258."

"It also lists a bunch of directories, home directory, PyCharm Projects directory," Ganssle added. "If I had to guess what the purpose of that is, I would say it's to figure out what projects the credentials work for so that the attacker can compromise that person's projects."

DEVELOPERS ADVISED TO REVIEW PROJECTS
Both of the malicious libraries were uploaded on PyPI by the same developer, who used the username of olgired2017 -- also used for the GitLab account.

It is believed that olgired2017 created the dateutil clone in an attempt to capitalize on the original's library popularity and increase the reach of the malicious code; however, this also brought more attention from more developers and eventually ended up in exposing his entire operation.

Excluding the malicious code, both typosquatted packages were identical copies of the original libraries, meaning they would have worked as the originals.

Developers who didn't pay attention to the libraries they downloaded or imported into their projects should check to see if they've used the correct package names and did not accidentally use the typosquatted versions.

If they accidentally used any of the two, developers are advised to change the all SSH and GPG keys they've used over the past year.

This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository. Similar incidents have happened in September 2017 (ten libraries), October 2018 (12 libraries), and July 2019 (three libraries).

https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/

....


What are the odds of libraries, browser plug ins, adware and assorted attack vectors being developed to steal crypto private keys? Am I paranoid in thinking there is a potential for harm here? The most common method utilized in hacked crypto exchanges appear to utilize phishing as their primary to go method.

Do many hacked crypto exchanges conduct forensics analysis which would identify more insidious methods of attack. Phishing shouldn't be as prevalent as it is in this industry?

[1713473027]

1713473027

[1713473027]

1713473027

[PrimeNumber7]

Ideally anyone running production code involving computers that handle money (even if the code itself doesn’t), should review any libraries, fully understand what it is doing before importing them. I would also hope they wouldn’t use any code period that relies on downloading content from an unaffiliated third party as what these libraries were doing.

[gmaxwell]

Ideally anyone running production code involving computers that handle money (even if the code itself doesn’t), should review any libraries, fully understand what it is doing before importing them.

This means that you essentially cannot use javascript, ruby, python, or rust. All of them are orgies of dependencies autofetched and updated in a practically unaudited manner.

(Sure, it's technically possible to use these languages without their ecosystem, but it's impractical and moots much of their benefits).

[Carlton Banks]

javascript

I avoid it amap

ruby

not aware of using it... I'm a real hypocrite here as I should know whether I do or not, but am unaware of common uses of ruby, period

python

1. I check the python based dependencies for all applications I use pretty carefully (and don't use pip/PyPi at all, either the OS repo or compiling python source is the way to go)
2. not yet have I found something on PyPi that has source that I cannot byte-compile myself and install into Python's annoying package system
3. I can read/write python, and so I understand python just about well enough to be able to review code for weird/suspicious looking tricks such as in the OP, it'd have to be a more subtle trick to work

or rust

hmmm, I wish that wasn't true (AFAIK Firefox/Thunderbird are the only applications I currently use that involve rust, and presumably Mozilla enlist the so-called dependency-orgy ecosystem seeing as they're th developers of much of it)


That's why I'm happier using applications/libraries/system daemons/utilities written in C/C++ for anything but the most trivial purposes. The language standards and the (typical) libraries are far less numerous, and many have been around longer than Python has.

Sure, they're harder languages to learn, and easy to make mistakes with (and the amount of control you get using C/C++ makes the mistakes potentially calamitous to your computer). For anything at all critical, that's a good thing, software developers should be using powerful tools that they understand (including the underlying operating system) to produce critical components. And that means a tiny proportion of coders can work on critical code: great. We want exactly those types of people (i.e. competent) to be attracted toward working on that part of the computing science spectrum.

I worry that there will eventually be a modern day witch-hunt in respect of people using free and powerful computing tools, e.g. open source software, hardware with user flashable firmware, or programming languages that let you talk to the kernel could all become locked down at the hardware level (supremely ironic), but you can use these things as long as submit to a million screening procedures and adjunct hardware "unlockers" that both give you the access and constantly monitor everything you type. Computers would become like Gameboys, and real computers would need military export licensing

These hand-holding programming languages with their universe-loads full of standard libraries and constant emphasis on every resource being behind a URL... it just seems like it's part of the same trend to me. Instead of learning the encyclopaedia of Java objects and exceptions, why not use your brain to learn how the underlying operating system works? It's maddening that programmers of all people don't recognize that it could be only one newspaper article trend or an executive order away from being made inaccessible

Sorry for the rant, but the article in the OP just reminds me of all this; the trend where learning what's actually going on on your computer is increasingly less possible, because there's either too much material for 1 person to cope with, or the chain of trust is immature, opaque and qualitatively inadequate. I mean the packages on PyPi aren't even signed or checksummed, you just rely on the SSL connection for authenticity

[Carlton Banks]

If you're so paranoid, then you use offline or isolated environment for important things.

well, I do that too!

we can say "oh it doesn't matter, someone skilled enough can find bugs in any system or flaws in any protocol and hack in". Maybe, but I don't want to be low hanging fruit even if that's true. I guess it's always a trade-off between security and usability: the most secure computer is a broken one, you can't use it, so an adversary can't abuse it

[kano]

Ideally anyone running production code involving computers that handle money (even if the code itself doesn’t), should review any libraries, fully understand what it is doing before importing them.

This means that you essentially cannot use javascript, ruby, python, or rust. All of them are orgies of dependencies autofetched and updated in a practically unaudited manner.

(Sure, it's technically possible to use these languages without their ecosystem, but it's impractical and moots much of their benefits).

Technically possible ... well I guess it depends on who the typical hacker is who is writing the code.
I say 'typical hacker' because in my opinion that covers the majority of developers in bitcoin.
Broad technical expertise is very rare in bitcoin.

But I resolve that problem on my pool web site, no imported JS libraries, no python, no scripts written by anyone but me - no nodejs or other such code ... no google tracking, unlike most pools ...
... and the pool itself, C

But since the topic IS python ... well, there's a lot of bitcoin and pool code out there that uses python (not me ).

Heh - 25 malicious python libraries in the past few years ... sounds like a massive security risk to me.

[NotFuzzyWarm]

Ideally anyone running production code involving computers that handle money (even if the code itself doesn’t), should review any libraries, fully understand what it is doing before importing them. I would also hope they wouldn’t use any code period that relies on downloading content from an unaffiliated third party as what these libraries were doing.

Spot on target.
Far too many BTC devs seem to not care that in the end miner, proxy & pool code are FINANCIAL software and need to be vetted as such. People not only can but HAVE lost money due to bugs in it that testing would have easily caught. In other words: test the hell out of it BEFORE going live! Ya listening Slush/Braiins devs?

[Theb]

What are the odds of libraries, browser plug ins, adware and assorted attack vectors being developed to steal crypto private keys? Am I paranoid in thinking there is a potential for harm here? The most common method utilized in hacked crypto exchanges appear to utilize phishing as their primary to go method.

To be honest you aren't that paranoid, if scammers have now reach python libraries this just makes the situation more clearer for us that scammers will try what they can do just to steal our crypto. Before this we only see phishing websites, hyip, email extortion, email scams now we are seeing duplicate copies of Electrum, a clipboard virus disguised as a =https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-monitors-23-million-bitcoin-addresses/free downloadable radio app, and scam Youtube channels that gives "free" ETH airdrops. Now with all the examples I have given criminals are basically covering everything they can and they are targeting almost everyone just for the chance to steal out crypto, literally no one is safe if we are too careless with what we do online.  

Do many hacked crypto exchanges conduct forensics analysis which would identify more insidious methods of attack. Phishing shouldn't be as prevalent as it is in this industry?

I don't think so, they usually handle it once the attack or threat has already happened and this is something they need to change aside from improving their security since prevention is something they need to focus more rather than the cure. They need to spot the vulnerabilities first before even the hackers/scammers spot it themselves.

[TechPriest]

1. I check the python based dependencies for all applications I use pretty carefully (and don't use pip/PyPi at all, either the OS repo or compiling python source is the way to go)
2. not yet have I found something on PyPi that has source that I cannot byte-compile myself and install into Python's annoying package system
3. I can read/write python, and so I understand python just about well enough to be able to review code for weird/suspicious looking tricks such as in the OP, it'd have to be a more subtle trick to work

With such paranoia i have better idea for you: create code in default notebook and compile it outside of your computer.
For example here - https://repl.it/languages/python3

Also, i'm very doubt that you're check all dependencies and source code for applications, of course, if you're not using 2-3 python applications and don't have any offline life. (or if you not working in code audit company) Because it's impossible to do for one person, due to number of updates, number of source code etc.  

If you want, and do not trust to how pip download packeges, you can download wheels from https://pypi.org/simple/ and setup it by yourself with pip help (building with pip through local computer).

Because without using pip it's more likely that package or application will be broken in result, than that you get phished.
Also, in Linux, just don't use sudo pip and install packages in --user repo or just create virtual env and everything will be fine.

[Carlton Banks]

With such paranoia i have better idea for you: create code in default notebook and compile it outside of your computer.
For example here - https://repl.it/languages/python3

you know the best way to do that? read the original source of what you're replicating, then write your "inspirational" version. You'd probably end up coming to the conclusion, in more than 90% of cases, that the original was better

Also, i'm very doubt that you're check all dependencies and source code for applications, of course, if you're not using 2-3 python applications and don't have any offline life. (or if you not working in code audit company) Because it's impossible to do for one person, due to number of updates, number of source code etc.

right, I didn't say that though. It's a simple case of checking the history of other projects using that library.
 

If you want, and do not trust to how pip download packeges, you can download wheels from https://pypi.org/simple/ and setup it by yourself with pip help (building with pip through local computer).

that gives you identical security as using pip, the SSL cerificate for https://pypi.org, so that makes zero difference


I don't get why doing basic 5-10 minutes research on Python libraries, then using the OS package manager to dl or compile them is paranoid. I do far more extreme things in the name of security, and it's on computers I'm, guess what, using Bitcoin with.

I hope you're lucky enough to avoid any malware with your "saner" approach. If I'm crazy, I'd prefer to stay that way if it means I can avoid malware theft of my BTC

[TechPriest]

I don't get why doing basic 5-10 minutes research on Python libraries, then using the OS package manager to dl or compile them is paranoid

Because pip is very powerful tool, which for example create all needed dependencies while installing some package. Without it, it's very likely that installed package can be working with some problems (exceptions, bugs, broken launches and etc).

Don't be angry on me, but for me it's look like i tell you: "here is hammer, you can use it to hammer in nails" And you asnwer: "No, thanks, i will better use my head!" 

I do far more extreme things in the name of security

Not using smartphones? Because it's well known fact that many programs on it (like instagram) can record any information through smartphone's receiver. Without you even notice. I have interesting story by myself 

Or not using Intel component parts, because it's well known that they implement backdoors in their hardware.

I hope you're lucky enough to avoid any malware with your "saner" approach. If I'm crazy, I'd prefer to stay that way if it means I can avoid malware theft of my BTC

Everything in the world have bad point, normal point and overkill. Your way - it's obvious overkill, on my modest view.