Two malicious versions of two Python packages were introduced in the Python Package Index (PyPI) with the purpose of stealing SSH and GPG keys from Python developers' projects.
One of them, using typosquatting to impersonate a legitimate library, resisted for about a year in the repository. The other survived for just a couple of days.
PyPI is a collection of software created and shared by the Python community to help developers in their projects.
Undetected for a year
The fake library that spent the least amount of time in PyPI available under the name 'python3-dateutil,' a clear impersonation of the '
dateutil' package with extensions to the standard Python datetime module.
... ...