In the PyPI Python package index (Python Package Index) malicious packages" and "", which were uploaded by one author olgired2017 and disguised as popular packages "" and "β (distinguished by the use of the character βIβ (i) instead of βlβ (L) in the name). After installing these packages, the encryption keys found in the system and the user's confidential data were sent to the attacker's server. Currently the problematic packages have already been removed from the PyPI catalog.
The actual malicious code was present in the "jeIlyfish" package, and the "python3-dateutil" package used it as a dependency.
The names were chosen based on inattentive users who make typos when searching (). The malicious package "jeIlyfish" was uploaded about a year ago, on December 11, 2018, and went unnoticed. The "python3-dateutil" package was uploaded on November 29, 2019 and a few days later aroused the suspicion of one of the developers. Information on the number of installations of malicious packages is not provided.
The jellyfish package included code that downloaded a list of hashes from an external GitLab-based repository. Analysis of the logic of working with these "hashes" showed that they contain a script encoded using the base64 function and run after decoding. The script found SSH and GPG keys in the system, as well as some types of files from the home directory and credentials for PyCharm projects, and then sent them to an external server running in the DigitalOcean cloud infrastructure.
Source: opennet.ru