Simon Willison’s Weblog

Subscribe

Thursday, 5th December 2019

Two malicious Python libraries caught stealing SSH and GPG keys. Nasty. Two typosquatting libraries were spotted on PyPI—targetting dateutil and jellyfish but with tricky variants of their names. They attempted to exfiltrate SSH and GPG keys and send them to an IP address defined server. npm has seen this kind of activity too—it’s important to consider this when installing packages.

# 6:07 am / pypi, security, npm

2019 » December

MTWTFSS
      1
2345678
9101112131415
16171819202122
23242526272829
3031